Merge pull request #4 from cookielab/OPS-558

feat(assume-role): Provide script for AssumeRoleWithWebIdentity

Author: joli-sys

Dockerfile

@@ -23,6 +23,7 @@ ARG AWS_CLI_VERSION
 COPY build-scripts/download-aws-cli.sh /tmp/download-aws-cli.sh
 RUN /tmp/download-aws-cli.sh
 
+COPY scripts/assume-role.sh /usr/local/bin/assume-role
 COPY scripts/deploy-s3-cf.sh /usr/local/bin/deploy-s3-cf
 
 FROM cookielab/container-image-tools:1.4.0-aws AS container-image-tools

README.md

@@ -8,3 +8,8 @@
 ## Scripts
 
 - `deploy-s3-cf` - for deploying static site to S3 and CloudFront
+- `assume-role` - Script for AssumeRoleWithWebIdentity
+    - Requirements:
+        - `$AWS_ROLE_ARN` = ENV variable for Role ARN
+        - `$AWS_ROLE_SESSION_NAME` = ENV variable for session name
+        - `$OIDC_TOKEN` = ENV variable for providing OIDC token

scripts/assume-role.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_SESSION_EXPIRATION
+
+read -r AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_SESSION_EXPIRATION < <(
+    aws sts assume-role-with-web-identity \
+        --role-arn "${AWS_ROLE_ARN}" \
+        --role-session-name "${AWS_ROLE_SESSION_NAME}" \
+        --web-identity-token "${OIDC_TOKEN}" \
+        --duration-seconds 900 \
+        --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken,Expiration]' \
+        --output text
+)
+