Skip to content

Commit

Permalink
Imrpoved AWS example
Browse files Browse the repository at this point in the history
  • Loading branch information
@dbaumgarten
dbaumgarten committed Nov 27, 2024
1 parent 41fe496 commit d6250a7
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 1 deletion.
Binary file added 139-pipeline-identity-tokens/img/AWS-IDP.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
21 changes: 20 additions & 1 deletion 139-pipeline-identity-tokens/proposal.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ Lot's if other services already implement something like this. One well knwon ex
## Usage with AWS
For example a Pipeline could use AWS's [AssumeRoleWithWebIdentity API-Call](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html) to authenticate with AWS using it's concourse-token and do stuff in AWS. It is even [diretly supported by the AWS CLI](https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role-with-web-identity.html)

1. Create an OIDC-Identity-Provider in the AWS Account for your Concourse Server
1. Create an OIDC-Identity-Provider for your Concourse Server in the AWS Account you would like to use. Like [this](img/AWS-IDP.png).
2. Create an AWS.IAM-Role with the required deployment-permissions and the following trust policy:
```
{
Expand Down Expand Up @@ -50,6 +50,25 @@ And conveniently Concourse will create exactly such a token and supply it to (an

When code inside a pipeline performs the AssumeRoleWithWebIdentity API-Call, AWS will check the provided token for expiry, query concourse to obtain the correct signature-verification key and use it to check the JWT's signature. It will then compare the aud-claim of the token with the one specified in the Role's trust policy. If everything checks out, AWS will return temporary AWS-Credentials that the pipeline can then use to perfor actions in AWS.

In a concourse pipeline all of this could then look like this:
```
- task: get-image-tag
image: base-image
config:
platform: linux
run:
path: bash
dir: idp-servicebroker
args:
- -ceux
- aws sts assume-role-with-web-identity --d
--provider-id "<ARN of the Identity Provider of Step 1>" \
--role-arn "<ARN of the role to be assumed>" \
--web-identity-token (( idtoken ))
- // do stuff with the new AWS-Permissions
```


## Usage with vault
The feature would also allow pipelines to authenticate with vault. This way a pipeline could directly access vault and use all of it's features, not only the limited stuff that is provided by concourse natively.

Expand Down

0 comments on commit d6250a7

Please sign in to comment.