Skip to content

Commit

Permalink
chore: Update documentation for the new option
Browse files Browse the repository at this point in the history
  • Loading branch information
christophe-scalepad committed Feb 21, 2024
1 parent 80a280e commit 7c8295f
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 24 deletions.
8 changes: 8 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,14 @@ Whether or not to automatically propagate all pipeline environment variables int

**Important**: only pipeline environment variables will be propagated (what you see in the BuildKite UI, those listed in `$BUILDKITE_ENV_FILE`). This does not include variables exported in preceeding `environment` hooks. If you wish for those to be propagated you will need to list them specifically or use `env-propagation-list`.

### `propagate-aws-auth-tokens` (run only, boolean)

Whether or not to automatically propagate aws authentication environment variables into the docker container. Avoiding the need to be specified with `environment`. This is useful for example if you are using an assume role plugin or you want to pass the role of an agent running in ECS or EKS to the docker container.

Will propagate `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`, `AWS_REGION`, `AWS_DEFAULT_REGION`, `AWS_STS_REGIONAL_ENDPOINTS`, `AWS_WEB_IDENTITY_TOKEN_FILE`, `AWS_ROLE_ARN`, `AWS_CONTAINER_CREDENTIALS_FULL_URI`, `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`, and `AWS_CONTAINER_AUTHORIZATION_TOKEN`, only if they are set already.

When the `AWS_WEB_IDENTITY_TOKEN_FILE` is specified, it will also mount it automatically for you and make it usable within the container.

#### `command` (run only, array)

Sets the command for the Docker image, and defaults the `shell` option to `false`. Useful if the Docker image has an entrypoint, or doesn't contain a shell.
Expand Down
24 changes: 0 additions & 24 deletions commands/run.sh
Original file line number Diff line number Diff line change
Expand Up @@ -116,67 +116,43 @@ fi
if [[ "$(plugin_read_config PROPAGATE_AWS_AUTH_TOKENS "false")" =~ ^(true|on|1)$ ]] ; then
if [[ -n "${AWS_ACCESS_KEY_ID:-}" ]] ; then
run_params+=( --env "AWS_ACCESS_KEY_ID" )
else
echo "🚨 AWS_ACCESS_KEY_ID is not set, not propagating"
fi
if [[ -n "${AWS_SECRET_ACCESS_KEY:-}" ]] ; then
run_params+=( --env "AWS_SECRET_ACCESS_KEY" )
else
echo "🚨 AWS_SECRET_ACCESS_KEY is not set, not propagating"
fi
if [[ -n "${AWS_SESSION_TOKEN:-}" ]] ; then
run_params+=( --env "AWS_SESSION_TOKEN" )
else
echo "🚨 AWS_SESSION_TOKEN is not set, not propagating"
fi
if [[ -n "${AWS_REGION:-}" ]] ; then
run_params+=( --env "AWS_REGION" )
else
echo "🚨 AWS_REGION is not set, not propagating"
fi
if [[ -n "${AWS_DEFAULT_REGION:-}" ]] ; then
run_params+=( --env "AWS_DEFAULT_REGION" )
else
echo "🚨 AWS_DEFAULT_REGION is not set, not propagating"
fi
if [[ -n "${AWS_ROLE_ARN:-}" ]] ; then
run_params+=( --env "AWS_ROLE_ARN" )
else
echo "🚨 AWS_ROLE_ARN is not set, not propagating"
fi
if [[ -n "${AWS_STS_REGIONAL_ENDPOINTS:-}" ]] ; then
run_params+=( --env "AWS_STS_REGIONAL_ENDPOINTS" )
else
echo "🚨 AWS_STS_REGIONAL_ENDPOINTS is not set, not propagating"
fi
# Pass ECS variables when the agent is running in ECS
# https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html
if [[ -n "${AWS_CONTAINER_CREDENTIALS_FULL_URI:-}" ]] ; then
run_params+=( --env "AWS_CONTAINER_CREDENTIALS_FULL_URI" )
else
echo "🚨 AWS_CONTAINER_CREDENTIALS_FULL_URI is not set, not propagating"
fi
if [[ -n "${AWS_CONTAINER_CREDENTIALS_RELATIVE_URI:-}" ]] ; then
run_params+=( --env "AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" )
else
echo "🚨 AWS_CONTAINER_CREDENTIALS_RELATIVE_URI is not set, not propagating"
fi
if [[ -n "${AWS_CONTAINER_AUTHORIZATION_TOKEN:-}" ]] ; then
run_params+=( --env "AWS_CONTAINER_AUTHORIZATION_TOKEN" )
else
echo "🚨 AWS_CONTAINER_AUTHORIZATION_TOKEN is not set, not propagating"
fi
# Pass EKS variables when the agent is running in EKS
# https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-minimum-sdk.html
if [[ -n "${AWS_WEB_IDENTITY_TOKEN_FILE:-}" ]] ; then
run_params+=( --env "AWS_WEB_IDENTITY_TOKEN_FILE" )
# Add the token file as a volume
run_params+=( --volume "${AWS_WEB_IDENTITY_TOKEN_FILE}:${AWS_WEB_IDENTITY_TOKEN_FILE}" )
else
echo "🚨 AWS_WEB_IDENTITY_TOKEN_FILE is not set, not propagating"
fi
else
echo "🚨 Not propagating AWS credentials to container as PROPAGATE_AWS_AUTH_TOKENS is not set to true"
fi

# If requested, propagate a set of env vars as listed in a given env var to the
Expand Down

0 comments on commit 7c8295f

Please sign in to comment.