I have below circleCi config.yml file where the value of role-arn is hardcode
orbs:
aws-cli: circleci/[email protected]
jobs:
aws-cli-example:
docker:
- image: cimg/python:3.11.0-node
working_directory: ~/workspace
environment:
AWS_REGION: 'us-east-1'
executor: aws-cli/default
steps:
- checkout
- aws-cli/setup:
role-arn: 'arn:aws:I am::<aws_account_id>:role/circleci_role'
- run:
name: CDK deployment in AWS
command: |
chmod +x .circleci/script1.sh
source .circleci/script1.sh
workflows:
aws-cli:
jobs:
- aws-cli-example:
context: credentials
I do not want to hardcode that role on this script instead I would like it to be used as an env variable. How can I accomplish that?
Thanks in advance
2
Answers
The solution to this issue is to use a role . Your job in circleCi is the client trying to authenticate to the Authorization Service (CircleCi) to deploy services into AWS(Identity Provider).
As such you need to get a role from the identity Provider(AWS). Your security team or admin or someone whith enough privilege should set up an AWS WebIdentity Provider for CircleCi and from that for your specific CircleCi job you should get a role with permissions to deploy the services you want. They should provide the role to you
then you use the role in your circleCi job(client)
Go to your circleci project settings, then select environment variables, and add your arn or aws specific secrets.
Then use in aws like this –
In that case I saved acces keys in circleci env variables.
In your case, if you save your arn by the name ARN –
Hope this helps.