I have couple of steps/stages set up in my .gitlab-ci.yml file (shown below) . in one of the stage , i install aws cli and assume a role. is it possible to pass values i get from aws sts call to another stage in gitlab. or is it possible to have different script running in different images in the same step. so that we don't have to pass credentials to another stage? I did some research and found out few SO questions on this, for example write variables to a file and export them as artifacts , but how do i read them in my next step?
stage_one:
stage: transform
image: alpineimage
script:
- apt update && apt install -y awscli
- export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" \
$(aws sts assume-role \
--role-arn arn:aws:iam::123456789012:role/MyAssumedRole \
--role-session-name MySessionName \
--query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
--output text))
stage_two
stage: transform
image: someotherimage
script
Not what you asked but all that convolution can be avoided by simply using AWS SDKs features.
E.g.
job:
id_token:
TOKEN_AWS:
aud: https://aws.com
variables:
AWS_ROLE_ARN: arn:aws:iam::123456789012:role/MyAssumedRole
AWS_WEB_IDENTITY_TOKEN_FILE: $RUNNER_TEMP_PROJECT_DIR/aws-web-identity-toke-file
before_script:
- echo $TOKEN_AWS > $AWS_WEB_IDENTITY_TOKEN_FILE
script: ...
if you are using OIDC.
Otherwise, just delegate assuming the role to the terraform AWS provider
provider "aws" {
assume_role {
role_arn = "arn:aws:iam::123456789012:role/MyAssumedRole"
}
}