Live Fast and Start Using Short-Term AWS Credentials in Your CI Pipeline

In a world of infrastructure-as-code and CI/CD pipelines, securing AWS credentials becomes a critical concern. In this blog, you will learn how improve security by leveraging short-term AWS credentials on your pipelines.

Live Fast and Start Using Short-Term AWS Credentials in Your CI Pipeline

As organizations embrace the cloud and adopt CI/CD pipelines for their software delivery, securing AWS credentials becomes a critical concern. Traditionally, users have configured long-term AWS access keys in their CI pipeline configurations, posing security risks if exposed or compromised. In this blog, we’ll explore a preferred approach that leverages short-term AWS credentials for improved security. We’ll demonstrate with terraform code snippets how to set up an AWS IAM OpenID Connect provider, define an IAM policy for assuming roles, and configure GitHub Actions to use short-term credentials. Let’s dive in!

Typical Approach: Using Long-Term AWS Credentials in CI

In typical CI pipelines, developers have used long-term AWS access keys to authenticate and authorize their CI/CD jobs. These static credentials have been stored as environment variables or secrets within CI pipeline configurations, which poses security vulnerabilities if they fall into the wrong hands. Compromised credentials may lead to unauthorized access, data breaches, or costly infrastructure misuse.

To enhance security, a recommended approach is to leverage short-term AWS credentials with limited access. These short-term credentials have a shorter lifespan, reducing the window of opportunity for unauthorized access. They can be obtained through the AWS Security Token Service (STS) using an identity provider (IdP) like AWS IAM OpenID Connect.

Setting Up AWS IAM OpenID Connect Provider

To get started, we’ll configure an AWS IAM OpenID Connect provider. This allows us to authenticate with AWS using an external identity provider such as GitHub.

data "tls_certificate" "github" {
  url = "https://token.actions.githubusercontent.com/.well-known/openid-configuration"
}

resource "aws_iam_openid_connect_provider" "default" {
  client_id_list  = ["sts.amazonaws.com"]
  thumbprint_list = [data.tls_certificate.github.certificates[0].sha1_fingerprint]
  url             = "https://token.actions.githubusercontent.com"
}

Defining IAM Policy for Assuming Roles

Next, we need to define an IAM policy that grants permission to assume roles. This policy will be attached to the IAM roles used in the CI pipeline.

data "aws_iam_policy_document" "assume_role_policy_document" {
 statement {
   actions = ["sts:AssumeRoleWithWebIdentity"]
   effect  = "Allow"


   condition {
     test     = "StringLike"
     variable = "token.actions.githubusercontent.com:sub"
     values   = ["repo:YOUR-ORG/YOUR-REPO:*"]
   }


   condition {
     test     = "ForAllValues:StringEquals"
     variable = "token.actions.githubusercontent.com:iss"
     values   = ["https://token.actions.githubusercontent.com"]
   }


   condition {
     test     = "ForAllValues:StringEquals"
     variable = "token.actions.githubusercontent.com:aud"
     values   = ["sts.amazonaws.com"]
   }


   principals {
     type        = "Federated"
     identifiers = [aws_iam_openid_connect_provider.default.arn]
   }
 }
}

Configuring GitHub Actions with Short-Term Credentials

Now, let’s configure GitHub Actions to obtain short-term AWS credentials using the aws-actions/configure-aws-credentials@v2 GitHub Action.

jobs:
 github-auth:
   name: Test aws-actions/configure-aws-credentials@v2
   runs-on: ubuntu-latest
   permissions:
     id-token: write
     contents: write
   steps:
     - name: Configure AWS Credentials
       uses: aws-actions/configure-aws-credentials@v2
       with:
         role-to-assume: <IAM Role ARN>
         aws-region: <AWS Region>
     - run: aws sts get-caller-identity

You can find the documentation, use cases and source code related to the previous Github Action here: aws-actions/configure-aws-credentials.

Conclusion

By adopting short-term AWS credentials in your CI pipeline, you enhance the security of your AWS resources. Leveraging AWS IAM OpenID Connect, defining an IAM policy for assuming roles, and configuring GitHub Actions with short-term credentials, you significantly reduce the risk of credential exposure and unauthorized access.

Categories:

Want to be the hero of cloud?

Great, we are here to help you become a cloud services hero!

Let's start!
Book a meeting!