Forem: Krzysztof Łuczak The latest articles on Forem by Krzysztof Łuczak (@thevops). https://forem.com/thevops https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F768439%2F54d4204b-0b66-4d5a-84c7-4a4c373ee2e4.jpeg Forem: Krzysztof Łuczak https://forem.com/thevops en Deploy on AWS with CircleCI - OpenID Connect Krzysztof Łuczak Sun, 24 Apr 2022 14:50:11 +0000 https://forem.com/thevops/deploy-on-aws-with-circleci-openid-connect-4b0g https://forem.com/thevops/deploy-on-aws-with-circleci-openid-connect-4b0g <p>One of the first things that we do during deployment configuration is creating credentials for CI/CD tool.<br> For AWS, the simplest way is to create <strong>IAM User</strong> with programmatic keys. They are placed into secrets or environment variables inside CI/CD tool as: <code>AWS_ACCESS_KEY_ID</code> and <code>AWS_SECRET_ACCESS_KEY</code>. It is called <strong>long-term credentials</strong>, because there is not expiration time by default. We have to rotate them yourself.</p> <p>The other, more secure, way is to use <strong>short-term credentials</strong> which invalidates automatically after specific time.<br> In this article I will present example solution using *<em>OpenID Connect</em> protocol, CircleCI as deployment platform and AWS as target. I will not dive into protocol details.</p> <h1> Main idea overview </h1> <p>This is simplified diagram that shows how the whole process looks like.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0plb3x33m7zenn320rhv.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0plb3x33m7zenn320rhv.png" alt="Image description"></a></p> <p>We need 2 things to authorize in AWS:</p> <ul> <li>OIDC Token</li> <li>AWS IAM Role</li> </ul> <p>OIDC Token will be generated by CircleCI, but IAM Role needs to be created by us.</p> <h1> Terraform - create IAM Role &amp; OIDC Provider </h1> <h3> main.tf - quite common. Description no needed </h3> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">terraform</span> <span class="p">{</span> <span class="nx">required_version</span> <span class="p">=</span> <span class="s2">"1.1.4"</span> <span class="nx">required_providers</span> <span class="p">{</span> <span class="nx">aws</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">source</span> <span class="p">=</span> <span class="s2">"hashicorp/aws"</span> <span class="nx">version</span> <span class="p">=</span> <span class="s2">"4.8.0"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">provider</span> <span class="s2">"aws"</span> <span class="p">{</span> <span class="nx">region</span> <span class="p">=</span> <span class="s2">"eu-central-1"</span> <span class="p">}</span> </code></pre> </div> <h3> variables.tf </h3> <p>We need 3 values to configure our IAM Role &amp; OIDC Provider resources in AWS. <code>circleci_org_id</code> and <code>circleci_thumbprint</code> are used to create OIDC Provider, and they are rather static for our purposes (we have multiple repositories/CircleCI projects in the same CircleCI organization).<br> <code>circleci_project_id</code> allows us to limit IAM Role to specific projects. We want to authorize to AWS from specific (one or multiple) projects, not the whole organization.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">variable</span> <span class="s2">"circleci_org_id"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"CHANGE_ME"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"CircleCI Organization ID"</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"circleci_thumbprint"</span> <span class="p">{</span> <span class="c1"># https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"CHANGE_ME"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Fingerprint of CircleCI servers"</span> <span class="p">}</span> <span class="k">variable</span> <span class="s2">"circleci_project_id"</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="s2">"CHANGE_ME"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"CircleCI Project ID"</span> <span class="p">}</span> </code></pre> </div> <h3> oidc.tf </h3> <p>The most important part. There we have OIDC Provider and IAM Role with federated principal and 2 conditions. They are compared with values from OIDC Token. Second condition contains schema:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>"org/${var.circleci_org_id}/project/${var.circleci_project_id}/user/*" </code></pre> </div> <p>It means, that all users that have permissions to specific CircleCI project in specific CircleCI organization are able to successfully run this pipeline. This whole configuration works with Github platform connected to CircleCI, so Github manage permissions.</p> <p>At end we attach other permissions to role.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight terraform"><code><span class="k">resource</span> <span class="s2">"aws_iam_openid_connect_provider"</span> <span class="s2">"default"</span> <span class="p">{</span> <span class="nx">url</span> <span class="p">=</span> <span class="s2">"https://oidc.circleci.com/org/</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">circleci_org_id</span><span class="k">}</span><span class="s2">"</span> <span class="nx">client_id_list</span> <span class="p">=</span> <span class="p">[</span><span class="kd">var</span><span class="p">.</span><span class="nx">circleci_org_id</span><span class="p">]</span> <span class="nx">thumbprint_list</span> <span class="p">=</span> <span class="p">[</span><span class="kd">var</span><span class="p">.</span><span class="nx">circleci_thumbprint</span><span class="p">]</span> <span class="p">}</span> <span class="c1">###########################################################</span> <span class="k">data</span> <span class="s2">"aws_caller_identity"</span> <span class="s2">"current"</span> <span class="p">{}</span> <span class="k">data</span> <span class="s2">"aws_iam_policy_document"</span> <span class="s2">"circleci"</span> <span class="p">{</span> <span class="nx">statement</span> <span class="p">{</span> <span class="nx">actions</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"sts:AssumeRoleWithWebIdentity"</span><span class="p">,</span> <span class="s2">"sts:TagSession"</span><span class="p">]</span> <span class="nx">principals</span> <span class="p">{</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"Federated"</span> <span class="nx">identifiers</span> <span class="p">=</span> <span class="p">[</span> <span class="s2">"</span><span class="k">${</span><span class="nx">aws_iam_openid_connect_provider</span><span class="p">.</span><span class="nx">default</span><span class="p">.</span><span class="nx">arn</span><span class="k">}</span><span class="s2">"</span> <span class="p">]</span> <span class="p">}</span> <span class="nx">condition</span> <span class="p">{</span> <span class="nx">test</span> <span class="p">=</span> <span class="s2">"StringEquals"</span> <span class="k">variable</span> <span class="p">=</span> <span class="s2">"oidc.circleci.com/org/</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">circleci_org_id</span><span class="k">}</span><span class="s2">:aud"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="kd">var</span><span class="p">.</span><span class="nx">circleci_org_id</span><span class="p">]</span> <span class="p">}</span> <span class="nx">condition</span> <span class="p">{</span> <span class="nx">test</span> <span class="p">=</span> <span class="s2">"ForAnyValue:StringLike"</span> <span class="k">variable</span> <span class="p">=</span> <span class="s2">"oidc.circleci.com/org/</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">circleci_org_id</span><span class="k">}</span><span class="s2">:sub"</span> <span class="nx">values</span> <span class="p">=</span> <span class="p">[</span><span class="s2">"org/</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">circleci_org_id</span><span class="k">}</span><span class="s2">/project/</span><span class="k">${</span><span class="kd">var</span><span class="p">.</span><span class="nx">circleci_project_id</span><span class="k">}</span><span class="s2">/user/*"</span><span class="p">]</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role"</span> <span class="s2">"circleci"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"circleci"</span> <span class="nx">path</span> <span class="p">=</span> <span class="s2">"/"</span> <span class="nx">assume_role_policy</span> <span class="p">=</span> <span class="k">data</span><span class="p">.</span><span class="nx">aws_iam_policy_document</span><span class="p">.</span><span class="nx">circleci</span><span class="p">.</span><span class="nx">json</span> <span class="p">}</span> <span class="k">resource</span> <span class="s2">"aws_iam_role_policy_attachment"</span> <span class="s2">"attach_1"</span> <span class="p">{</span> <span class="nx">role</span> <span class="p">=</span> <span class="nx">aws_iam_role</span><span class="p">.</span><span class="nx">circleci</span><span class="p">.</span><span class="nx">name</span> <span class="nx">policy_arn</span> <span class="p">=</span> <span class="s2">"arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"</span> <span class="p">}</span> </code></pre> </div> <h1> CircleCI configuration </h1> <p>.circleci/config.yml<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="m">2.1</span> <span class="na">orbs</span><span class="pi">:</span> <span class="na">aws-cli</span><span class="pi">:</span> <span class="s">circleci/aws-cli@3.0.0</span> <span class="na">commands</span><span class="pi">:</span> <span class="na">aws-oidc-setup</span><span class="pi">:</span> <span class="na">description</span><span class="pi">:</span> <span class="s">Setup AWS auth using OIDC token</span> <span class="na">parameters</span><span class="pi">:</span> <span class="na">aws-role-arn</span><span class="pi">:</span> <span class="na">type</span><span class="pi">:</span> <span class="s">string</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Get short-term credentials</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">STS=($(aws sts assume-role-with-web-identity --role-arn &lt;&lt; parameters.aws-role-arn &gt;&gt; --role-session-name "${CIRCLE_BRANCH}-${CIRCLE_BUILD_NUM}" --web-identity-token "${CIRCLE_OIDC_TOKEN}" --duration-seconds 900 --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' --output text))</span> <span class="s">echo "export AWS_ACCESS_KEY_ID=${STS[0]}" &gt;&gt; $BASH_ENV</span> <span class="s">echo "export AWS_SECRET_ACCESS_KEY=${STS[1]}" &gt;&gt; $BASH_ENV</span> <span class="s">echo "export AWS_SESSION_TOKEN=${STS[2]}" &gt;&gt; $BASH_ENV</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Verify AWS credentials</span> <span class="na">command</span><span class="pi">:</span> <span class="s">aws sts get-caller-identity</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="na">executor</span><span class="pi">:</span> <span class="s">aws-cli/default</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">checkout</span> <span class="pi">-</span> <span class="s">aws-cli/install</span> <span class="pi">-</span> <span class="na">aws-oidc-setup</span><span class="pi">:</span> <span class="na">aws-role-arn</span><span class="pi">:</span> <span class="s2">"</span><span class="s">arn:aws:iam::XXXXXXXXXXXX:role/circleci"</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Test AWS connection</span> <span class="na">command</span><span class="pi">:</span> <span class="s">aws s3 ls</span> <span class="na">workflows</span><span class="pi">:</span> <span class="na">build_and_deploy</span><span class="pi">:</span> <span class="na">jobs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">test</span><span class="pi">:</span> <span class="na">context</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">example-context</span> </code></pre> </div> <p>Here we have configuration with our custom command used to authorize in AWS. There are few important things:</p> <ul> <li> <code>parameters.aws-role-arn</code> -&gt; previously created IAM Role</li> <li> <code>role-session-name</code> -&gt; it could be anything. It will shows up as <code>user</code> field in AWS CloudTrail</li> <li> <code>CIRCLE_OIDC_TOKEN</code> -&gt; it is <strong>OIDC Token</strong>. It is added by CircleCI <strong>only</strong> if job uses <strong>any</strong> context. That's why I added <code>example-context</code> in workflows. This context can be empty also.</li> <li> <code>duration-seconds</code> - time that token is valid</li> </ul> <p>You can check what is inside <code>CIRCLE_OIDC_TOKEN</code> using SSH in job, and decode it here: <a href="https://jwt.io/" rel="noopener noreferrer">jwt.io</a><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>circleci@a094c7852509:~$ echo $CIRCLE_OIDC_TOKEN eyJraWQiOiJhSzlqNmRZQm8zS0R3NGdmV3k4eGRNTFU1UThPeWNzcW44S....... </code></pre> </div> <h1> Documentation </h1> <ul> <li><a href="https://circleci.com/docs/2.0/openid-connect-tokens/" rel="noopener noreferrer">https://circleci.com/docs/2.0/openid-connect-tokens/</a></li> <li><a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html" rel="noopener noreferrer">https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html</a></li> </ul> <p>It's my first article, so feedback is welcome :)</p> circleci aws terraform devops