I have SemaphoreCI organization let it be: eXamPle.semaphoreci.com.
There is the project in this organization named: pRojeCt. This project is connected to github repository: github.com/OrgName/pRojeCt. I want to establish the connection with AWS cloud on SemaphoreCI pipeline within OIDC token. I have created the IAM role with needed permissions which arn is equal to arn:aws:iam::123456789012:role/SEMAPHORE-CI-ROLE. I have set trust policy for this role:
"Condition": {
"StringEquals": {
"eXamPle.semaphoreci.com:aud": "https://eXamPle.semaphoreci.com"
},
"StringLike": {
"eXamPle.semaphoreci.com:sub": "org:eXamPle:project:231ddr13-2d2b-876g-3d75-123r4u1ht6y9:repo:OrgName/pRojeCt:ref_type:branch:ref:refs/heads/*"
}
}
I have added such commands to the Semaphore job:
jobs:
- name: "Test IAM role connection"
commands:
- checkout
- export ROLE_ARN="arn:aws:iam::123456789012:role/SEMAPHORE-CI-ROLE"
- export SESSION_NAME="semaphore-job-$SEMAPHORE_JOB_ID"
- export CREDENTIALS=$(aws sts assume-role-with-web-identity --role-arn $ROLE_ARN --role-session-name $SESSION_NAME --web-identity-token $SEMAPHORE_OIDC_TOKEN)
- export AWS_ACCESS_KEY_ID=$(echo $CREDENTIALS | jq -r '.Credentials.AccessKeyId')
- export AWS_SESSION_TOKEN=$(echo $CREDENTIALS | jq -r '.Credentials.SessionToken')
- export AWS_SECRET_ACCESS_KEY=$(echo $CREDENTIALS | jq -r '.Credentials.SecretAccessKey')
- aws sts get-caller-identity
But aws sts get-caller-identity returns Unable to locate credentials. You can configure credentials by running "aws configure". error. I tried to echo $SEMAPHORE_OIDC_TOKEN variable but it's empty. What I'm doing wrong?
Ok, sorry, guys! I'm not sure if Trust policy is OK but our team has Startup billing plan which doesn't support OIDC for now...
BTW Someone had given the answer regarding checking the billing plan but he removed it for some reason...