Configure OpenID Connect in AWS#
Available on: Scaleup
Open ID Connect allows your pipelines to access resources in Amazon Web Services (AWS) without the need to store long-lived access credentials in secrets.
In this guide, you will learn how to configure Google Cloud Workload Identity Provider to trust Semaphore OIDC as a federated identity and then to access cloud resources from your Semaphore Pipelines.
Adding Semaphore to AWS as an identity provider#
To connect to Amazon Web Services (AWS) from Semaphore using OpenID Connect, you will need to perform the following steps:
Step 1 - Configure AWS OIDC Identity Provider#
Configure AWS to support OpenID Connect by creating an IAM OIDC identity provider and an IAM role that trusts the provider. See Creating OpenID Connect (OIDC) identity providers.
- For the provider, set the full URL to your organization. Example:
https://acme.semaphoreci.com. - For the audience, set the full URL to your organization. Example:
https://acme.semaphoreci.com.`
Step 2 - Configuring a role and trust policy#
Configuring a role and trust policy that you will use to access resources on AWS. Follow the documentation on AWS about Creating a role for web identity or OIDC.
Edit the trust policy to restrict which projects and which branches are able to access the resources with this role:
"Condition": {
"StringEquals": {
"acme.semaphoreci.com:aud": "https://rtx.semaphoreci.com/",
"acme.semaphoreci.com:sub": "org:acme:project:936a5312-a3b8-4921-8b3f-2cec8baac574:repo:web:ref_type:branch:ref:refs/heads/main"
}
}
Adjust the above policy to match the organization, project, and branch that you want to use to access the resources.
Step 3 - Assume the role in a Semaphore pipeline#
Finally, in your Semaphore pipelines, assume the above role by adding the following commands:
commands:
- export ROLE_ARN="<>" # the AWS Role ARN you want to assume
- export SESSION_NAME="semaphore-job-${SEMAPHORE_JOB_ID}"
- export CREDENTIALS=$(aws sts assume-role-with-web-identity --role-arn $ROLE_ARN --role-session-name $SESSION_NAME --web-identity-token $SEMAPHORE_OIDC_TOKEN)
- export AWS_ACCESS_KEY_ID=$(echo $CREDENTIALS | jq -r '.Credentials.AccessKeyId')
- export AWS_SESSION_TOKEN=$(echo $CREDENTIALS | jq -r '.Credentials.SessionToken')
- export AWS_SECRET_ACCESS_KEY=$(echo $CREDENTIALS | jq -r '.Credentials.SecretAccessKey')