How to authenticate multiple AWS profiles using OIDC

 

Problem:

Using multiple AWS profiles in a CI/CD pipeline is helpful when you need to access different AWS accounts or IAM roles with distinct permissions.

This approach allows different parts of the pipeline to interact with separate AWS services, while keeping access permissions minimal and focused.

Solution:

The aws-cli/setup command allows for a profile profile_name parameter and can be called more than once in a workflow.

Once multiple profiles are setup, you can specify a profile using the --profile argument of the AWS CLI

version: '2.1'
orbs:
aws-cli: circleci/aws-cli@4.1
jobs:
aws-example:
docker:
- image: cimg/aws:2022.06
resource_class: small
steps:
- checkout
# run the aws-cli/setup command from the orb
- aws-cli/setup:
role_arn: arn:aws:iam::XXXXXXXXXXXX:role/oidc-role-abc
profile_name: "OIDC-PROFILE-ABC"
- aws-cli/setup:
role_arn: arn:aws:iam::XXXXXXXXXXXX:role/oidc-role-xyz
profile_name: "OIDC-PROFILE-XYZ"
- run:
name: get-caller-identity (profile ABC)
command: |
aws sts get-caller-identity --profile "OIDC-PROFILE-ABC"
- run:
name: get-caller-identity (profile XYZ)
command: |
aws sts get-caller-identity --profile "OIDC-PROFILE-XYZ"
workflows:
OIDC-with-AWS:
jobs:
- aws-example:
# must use a valid CircleCI context
context: aws

The above is workable when even when both AWS ARNs are within the same Amazon AWS account.

If the alternate role ARN is within the same AWS account it is also possible to assume the role from your original ARN which will also create a new AWS cli profile:

- aws-cli/role_arn_setup:
  role_arn: arn:aws:iam::xxxxxxxxxxxx:role/assumed-role-arn
    profile_name: "ASSUMED-PROFILE"
  source_profile: "OIDC-PROFILE-ABC"

In this scenario, the source_profile would need to be granted the permission to switch roles.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.