I am getting Partial credentials found in env error while running below command.
aws sts assume-role-with-web-identity –role-arn $AWS_ROLE_ARN –role-session-name build-session –web-identity-token $BITBUCKET_STEP_OIDC_TOKEN –duration-seconds 1000
I am using below AWS CLI and Python version-
aws-cli/2.2.9 Python/3.8.8 Linux/5.4.92-flatcar exe/x86_64.debian.11 prompt/off
I’ve also set AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN in environment variable. Still I’m getting this error. I haven’t configured aws credential ~/.aws/credentials
and config file ~/.aws/config
as it is not required since I am using web identity token to generate temp credentials.
Below is the bitbucket pipeline step:
- step:
oidc: true
name: Build
image: python:3.7
script:
- export AWS_REGION=us-east-2
- export AWS_ROLE_ARN=arn:aws:iam::XXXXXX:role/bitbucket-pipelines-sso
- export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
- echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
- curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64-2.2.9.zip" -o "awscliv2.zip" && unzip awscliv2.zip
- ./aws/install -i /usr/local/aws-cli -b /usr/local/bin
- aws sts assume-role-with-web-identity --role-arn $AWS_ROLE_ARN --role-session-name build-session --web-identity-token $BITBUCKET_STEP_OIDC_TOKEN --duration-seconds 1000 >> irp-cred.txt
2
Answers
Ugh... I was struggling for two days and right after posting it on stackoverflow in the end, I thought of clearing ENV variable and it worked. Somehow AWS Keys were being stored in env, not sure how?. I just cleared them by below cmd and it worked :D
Instead of using the identity token file and unsetting the AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY values, I simply override these values with the ones from the role. Here is an example: