Anyone who uses AWS and CI/CD long enough has invariably been told to store their AWS credentials in Environment Variables in order to use the AWS CLI to manage deployments or pull resources from S3. This is extremely unsafe for a variety of reasons.
AWS has been recommending cloud-platform providers to utilize the AssumeRole API to provide another layer of security and traceability to external AWS Credential access. As a proud APN DevOps Competency Partner, we’re excited to be the first cloud CI/CD provider to announce our adoption of AWS AssumeRole as the recommended & most secure way to use AWS Account Credentials with your Solano CI builds!
Using AssumeRole w/ Solano CI
Follow the instructions here on setting up a cross-account AssumeRole policy in AWS. Make sure to follow the section that mentions “Allows IAM users from a 3rd party AWS account to access this account”.
You will be prompted for the External ID and AWS Account ID for the external account, you can find this information in your organization’s settings page.
Continue through the instructions, and copy the ARN for the new policy into the organization settings page and click “Save AWS AssumeRole ARN”. We will run a test to make sure the role has been set up correctly, and you will be presented with the following success message:
You can now use the AWS Code Deploy / Solano CI integration without the requirement of having to include Environment Variables with your build! You will also have access to the following temporary AssumeRole Environment Variables that will allow you to authenticate AWS requests using the new role:
AWS_ASSUME_ROLE_ACCESS_KEY_ID AWS_ASSUME_ROLE_SECRET_ACCESS_KEY AWS_ASSUME_ROLE_SESSION_TOKEN
Use these exactly as you would’ve used hard-coded environment variables, without the guilt of hard-coding your secure never-expiring credentials!
As always, please reach out to us via firstname.lastname@example.org if you have any additional questions!