Skip to content

Commit 79be7b9

Browse files
robertnovac1robertnovac1
committed
Script assume role updated
1 parent 69050b7 commit 79be7b9

File tree

1 file changed

+44
-37
lines changed

1 file changed

+44
-37
lines changed

azure/new_pipelines/aws-assume-role-new-int.yml

Lines changed: 44 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -16,57 +16,64 @@ steps:
1616
echo "##vso[task.setvariable variable=AWS_ACCOUNT_ID]${{ parameters.aws_account_id }}"
1717
displayName: get imms role name
1818
- bash: |
19+
set -e
20+
21+
echo "Running aws sts get-caller-identity:"
1922
aws sts get-caller-identity
2023
21-
set -e
22-
aws_role="$(ROLE)"
23-
echo "assume role: '${aws_role}'"
24-
echo "account_id: $(AWS_ACCOUNT_ID)"
25-
26-
aws_role="arn:aws:iam::$(AWS_ACCOUNT_ID):role/${aws_role}"
27-
echo "AWS role: $aws_role"
24+
aws_role="$ROLE"
25+
aws_account_id="$AWS_ACCOUNT_ID"
26+
27+
echo "Assume role: ${aws_role}"
28+
echo "Account ID: ${aws_account_id}"
2829
29-
echo "Check if role exists"
30-
# iam synchronisation issues can take a few to make the role appear
30+
aws_role_arn="arn:aws:iam::${aws_account_id}:role/${aws_role}"
31+
echo "AWS role ARN: ${aws_role_arn}"
32+
33+
echo "Checking if role exists"
3134
for i in {1..15}; do
32-
if aws iam get-role --role-name ${aws_role} > /dev/null; then
33-
echo role exists
35+
if aws iam get-role --role-name "${aws_role}" > /dev/null 2>&1; then
36+
echo "Role exists"
3437
sleep 2
3538
break
3639
fi
37-
echo waiting for role ...
40+
echo "Waiting for role ..."
3841
sleep 2
3942
done
40-
account_id="$(aws sts get-caller-identity --query Account --output text)"
41-
aws_role="arn:aws:iam::${account_id}:role/${aws_role}"
42-
43-
cp ~/.aws/config.default ~/.aws/config
44-
tmp_file="$(Agent.TempDirectory)/.aws.tmp.creds.json"
45-
# add some backoff to allow for eventual consistency of IAM
46-
for i in {2..4};
47-
do
48-
if aws sts assume-role --role-arn "${aws_role}" --role-session-name build-assume-role > ${tmp_file}; then
49-
echo assumed role
50-
assumed_role="yes"
51-
break
52-
fi
53-
let "sleep_for=$i*10";
54-
sleep $sleep_for
43+
44+
cp "${HOME}/.aws/config.default" "${HOME}/.aws/config"
45+
tmp_file="${AGENT_TEMPDIRECTORY}/.aws.tmp.creds.json"
46+
47+
for i in {2..4}; do
48+
if aws sts assume-role --role-arn "${aws_role_arn}" --role-session-name build-assume-role > "${tmp_file}"; then
49+
echo "Assumed role"
50+
assumed_role="yes"
51+
break
52+
fi
53+
sleep_for=$((i * 10))
54+
echo "Retrying assume-role in $sleep_for seconds..."
55+
sleep "$sleep_for"
5556
done
57+
5658
if [[ "${assumed_role}" != "yes" ]]; then
57-
echo "assume role failed"
58-
exit -1
59+
echo "Assume role failed"
60+
exit 1
5961
fi
60-
echo "aws_access_key_id = $(jq -r .Credentials.AccessKeyId ${tmp_file})" >> ~/.aws/config
61-
echo "aws_secret_access_key = $(jq -r .Credentials.SecretAccessKey ${tmp_file})" >> ~/.aws/config
62-
echo "aws_session_token = $(jq -r .Credentials.SessionToken ${tmp_file})" >> ~/.aws/config
63-
expiry=$(jq -r .Credentials.Expiration ${tmp_file})
62+
63+
echo "aws_access_key_id = $(jq -r .Credentials.AccessKeyId "${tmp_file}")" >> "${HOME}/.aws/config"
64+
echo "aws_secret_access_key = $(jq -r .Credentials.SecretAccessKey "${tmp_file}")" >> "${HOME}/.aws/config"
65+
echo "aws_session_token = $(jq -r .Credentials.SessionToken "${tmp_file}")" >> "${HOME}/.aws/config"
66+
67+
expiry=$(jq -r .Credentials.Expiration "${tmp_file}")
6468
echo "##vso[task.setvariable variable=ASSUME_ROLE_EXPIRY;]$expiry"
65-
rm ${tmp_file}
69+
70+
rm "${tmp_file}"
71+
6672
profile="${{ parameters.profile }}"
67-
if [[ ! -z "${profile}" ]]; then
68-
echo as profile ${profile}
69-
sed -i "s#\[default\]#\[profile ${profile}\]#" ~/.aws/config
73+
if [[ -n "${profile}" ]]; then
74+
echo "Using profile: ${profile}"
75+
sed -i "s#\[default\]#\[profile ${profile}\]#" "${HOME}/.aws/config"
7076
fi
77+
7178
displayName: assume role
7279
condition: and(succeeded(), ne(variables['ROLE'], ''))

0 commit comments

Comments
 (0)