added oidc steps: 1.obtain oidc id token. 2.aws sts assume role (#643)

daniel-codefresh · web-flow · commit 822afc0a9a12 · 2023-09-03T18:13:43.000+03:00
Signed-off-by: Daniel Soifer &lt;daniel.soifer@codefresh.io&gt;
diff --git a/incubating/aws-sts-assume-role-with-web-identity/icon.svg b/incubating/aws-sts-assume-role-with-web-identity/icon.svg
@@ -0,0 +1 @@
+<svg width="1306" height="2500" viewBox="0 0 256 490" xmlns="http://www.w3.org/2000/svg" preserveAspectRatio="xMidYMid"><path d="M21 165.75l-21 6.856 21.75 2.519-.75-9.375M19.955 206.806L128 213.714l108.045-6.908L128 185.75 19.955 206.806M234.5 175.125l21.5-2.519-21.5-5.731v8.25" fill="#3C4929"/><path d="M157.387 352.929l56.606 13.396-56.756 17.116.15-30.512" fill="#B7CA9D"/><path d="M19.955 92.221V54.019L128 0l.482.405-.248 48.496-.234.102-.405 1.117-59.098 23.856-.542 84.037 31.452-5.29L128 147.002V490.03l-32.369-16.177v-45.771l-28.354-11.338V202.069l-47.322 4.737v-38.195L0 172.606v-72.408l19.955-7.977" fill="#4B612C"/><path d="M99.408 152.727l-32.131 6.424V73.28l32.131 10.018v69.429M183.925 27.959l52.106 26.06v38.202L256 100.198V172.6l-19.969-3.989v38.195l-25.441-2.538-21.881-2.199v42.939h47.336v39.284l-21.997 1.974v39.611l-53.692 10.672v45.77l53.57-15.899.122 40.38-53.692 21.282v45.771L128 490.03V147.002l28.572 5.71 30.583 4.038V73.966l-58.338-22.498-.817-2.465V0l55.925 27.959" fill="#759C3E"/><path d="M160.356 61.941L128 49.01 67.277 73.28l32.131 10.018 60.948-21.357" fill="#3C4929"/><path d="M67.277 73.28L128 49.01l12.775 5.104 19.581 7.827 28.353 11.353-1.515 1.541-28.876 8.991-1.74-.528L128 73.28 99.408 83.298 67.277 73.28" fill="#3C4929"/><path d="M156.578 83.298l32.131-10.004v85.864l-32.131-6.446V83.298" fill="#4B612C"/></svg>
diff --git a/incubating/aws-sts-assume-role-with-web-identity/step.yaml b/incubating/aws-sts-assume-role-with-web-identity/step.yaml
@@ -0,0 +1,151 @@
+version: '1.0'
+kind: step-type
+metadata:
+  version: 1.0.0
+  name: aws-sts-assume-role-with-web-identity
+  description: >-
+    Obtain AWS STS credentials using OIDC ID token and export them as environment variables
+  isPublic: true
+  latest: true
+  official: true
+  stage: incubating
+  sources:
+    - 'https://github.com/codefresh-io/steps/tree/master/incubating/aws-sts-assume-role-with-web-identity'
+  maintainers:
+    - name: Daniel Soifer
+  categories:
+    - oidc
+  tags: [
+    'aws',
+    'sts',
+    'oidc',
+    'open id connect',
+    'id token'
+  ]
+  icon:
+    type: svg
+    url: https://raw.githubusercontent.com/codefresh-io/steps/master/incubating/aws-sts-assume-role-with-web-identity/icon.svg
+    background: '#f4f4f4'
+  examples:
+    - description: example-with-obtain-oidc-id-token-step
+      workflow:
+        version: '1.0'
+        steps:
+          obtain_id_token:
+            title: Obtain ID Token
+            type: obtain-oidc-id-token
+          assume_role:
+            title: Assume Role
+            type: aws-sts-assume-role-with-web-identity
+            arguments:
+              ROLE_ARN: arn:aws:iam::123456789012:role/role-name
+              ROLE_SESSION_NAME: session-name
+          s3_list_objects:
+            title: List S3 Objects
+            image: amazon/aws-cli
+            commands:
+              - aws s3 ls "s3://bucket-name/"
+    - description: example-with-id-token-from-environment-variable
+      workflow:
+        version: '1.0'
+        steps:
+          assume_role:
+            title: Assume Role
+            type: aws-sts-assume-role-with-web-identity
+            arguments:
+              ROLE_ARN: arn:aws:iam::123456789012:role/role-name
+              ROLE_SESSION_NAME: session-name
+              WEB_IDENTITY_TOKEN: ${{ID_TOKEN}}
+          s3_list_objects:
+            title: List S3 Objects
+            image: amazon/aws-cli
+            commands:
+              - aws s3 ls "s3://bucket-name/"
+spec:
+  arguments: |-
+    {
+        "definitions": {},
+        "$schema": "http://json-schema.org/draft-07/schema#",
+        "type": "object",
+        "additionalProperties": false,
+        "patterns": [],
+        "required": [
+          "ROLE_ARN",
+          "ROLE_SESSION_NAME"
+        ],
+        "properties": {
+           "ROLE_ARN": {
+               "type": "string",
+               "description": "the ARN of the role to assume"
+           },
+            "ROLE_SESSION_NAME": {
+                 "type": "string",
+                 "description": "the name of the session"
+            },
+           "WEB_IDENTITY_TOKEN": {
+               "type": "string",
+               "description": "the OIDC ID token. If not provided, the step will try to read it from the environment variable ID_TOKEN (which is set by the obtain-oidc-id-token step)"
+           }
+        }
+    }
+  returns: |-
+    {
+        "definitions": {},
+        "$schema": "http://json-schema.org/draft-07/schema#",
+        "type": "object",
+        "additionalProperties": true,
+        "patterns": [],
+        "required": [
+          "AWS_ACCESS_KEY_ID",
+          "AWS_SECRET_ACCESS_KEY",
+          "AWS_SESSION_TOKEN"
+        ],
+        "properties": {
+            "AWS_ACCESS_KEY_ID": {
+                "type": "string",
+                "description": "the AWS access key id" 
+            },
+            "AWS_SECRET_ACCESS_KEY": {
+                "type": "string",
+                "description": "the AWS secret access key" 
+            },
+            "AWS_SESSION_TOKEN": {
+                "type": "string",
+                "description": "the AWS session token" 
+            }
+        }
+    }
+  delimiters:
+    left: '[['
+    right: ']]'
+  stepsTemplate: |-
+    main:
+      name: aws-sts-assume-role-with-web-identity
+      image: mikesir87/aws-cli
+      environment:
+      [[ range $key, $val := .Arguments ]]
+        - '[[ $key ]]=[[ $val ]]'
+      [[- end ]]
+        - 'ID_TOKEN=${{ID_TOKEN}}'
+      commands:
+        - |
+        [[- if .Arguments.WEB_IDENTITY_TOKEN ]]
+          TOKEN=$WEB_IDENTITY_TOKEN
+        [[- else ]]
+          TOKEN=$ID_TOKEN
+        [[- end ]]
+
+          SESSION_CREDS=$(aws sts assume-role-with-web-identity \
+            --role-arn "$ROLE_ARN" \
+            --role-session-name "$ROLE_SESSION_NAME" \
+            --web-identity-token "$TOKEN" \
+            --output json \
+            --query Credentials)
+    
+          AWS_ACCESS_KEY_ID=$(echo "$SESSION_CREDS" | jq -r .AccessKeyId)
+          AWS_SECRET_ACCESS_KEY=$(echo "$SESSION_CREDS" | jq -r .SecretAccessKey)
+          AWS_SESSION_TOKEN=$(echo "$SESSION_CREDS" | jq -r .SessionToken)
+    
+          cf_export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID --mask
+          cf_export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY --mask
+          cf_export AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN --mask
diff --git a/incubating/obtain-oidc-id-token/icon.svg b/incubating/obtain-oidc-id-token/icon.svg
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg"  viewBox="0 0 48 48" width="48px" height="48px"><path fill="#9E9E9E" d="M44,27l-1-9l-2.9,1.9c-2.7-1.7-6.1-2.9-9.9-3.5c0,0-1.9-0.4-4.4-0.4s-4.8,0.3-4.8,0.3C11.3,17.5,4,23,4,29.6C4,36.4,11.5,42,23,43v-3.9c-7.9-1.1-12.9-4.8-12.9-9.5c0-4.4,4.6-8.1,10.9-9.3c0,0,4.9-1.1,9.2,0.2c2.1,0.5,4,1.2,5.6,2.2L32,25L44,27z"/><path d="M23 8L23 43 29 40 29 5z"/><path fill="#FF9800" d="M23 8L23 43 29 40 29 5z"/></svg>
diff --git a/incubating/obtain-oidc-id-token/step.yaml b/incubating/obtain-oidc-id-token/step.yaml
@@ -0,0 +1,84 @@
+version: '1.0'
+kind: step-type
+metadata:
+  version: 1.0.0
+  name: obtain-oidc-id-token
+  description: >-
+    Obtain ID token from Codefresh OIDC Provider
+  isPublic: true
+  latest: true
+  official: true
+  stage: incubating
+  sources:
+    - 'https://github.com/codefresh-io/steps/tree/master/incubating/obtain-oidc-id-token'
+  maintainers:
+    - name: Daniel Soifer
+  categories:
+    - oidc
+  tags: [
+    'oidc',
+    'open id connect',
+    'id token'
+  ]
+  icon:
+    type: svg
+    url: https://raw.githubusercontent.com/codefresh-io/steps/master/incubating/obtain-oidc-id-token/icon.svg
+    background: '#f4f4f4'
+  examples:
+    - description: example-with-print-output
+      workflow:
+        version: '1.0'
+        steps:
+          obtain_id_token:
+            title: Obtain ID Token
+            type: obtain-oidc-id-token
+          print_output:
+            title: Printing output from previous step
+            image: alpine
+            commands:
+              - echo $ID_TOKEN
+              - echo ${{steps.obtain_id_token.output.ID_TOKEN}}
+    - description: example-with-aws-sts-assume-role-step
+      workflow:
+        version: '1.0'
+        steps:
+          obtain_id_token:
+            title: Obtain ID Token
+            type: obtain-oidc-id-token
+          assume_role:
+            title: Assume Role
+            type: aws-sts-assume-role-with-web-identity
+            arguments:
+              ROLE_ARN: arn:aws:iam::123456789012:role/role-name
+              ROLE_SESSION_NAME: session-name
+          s3_list_objects:
+            title: List S3 Objects
+            image: amazon/aws-cli
+            commands:
+              - aws s3 ls "s3://bucket-name/"
+spec:
+  returns: |-
+    {
+        "definitions": {},
+        "$schema": "http://json-schema.org/draft-07/schema#",
+        "type": "object",
+        "additionalProperties": true,
+        "patterns": [],
+        "required": [
+          "ID_TOKEN"
+        ],
+        "properties": {
+            "ID_TOKEN": {
+                "type": "string",
+                "description": "the ID token obtained from Codefresh OIDC Provider"
+            }
+        }
+    }
+  steps:
+    main:
+      name: obtain-oidc-id-token
+      image: dwdraju/alpine-curl-jq
+      commands:
+        - |
+          ID_TOKEN=$(curl -H "Authorization: $CF_OIDC_REQUEST_TOKEN" "$CF_OIDC_REQUEST_URL" | jq -r ".id_token")
+          cf_export ID_TOKEN=$ID_TOKEN --mask
