This repository contains constructs to communicate between CircleCI and AWS via an Open ID Connect (OIDC) provider. The process is described in this CircleCI blog post.
By using the OpenID Connect provider, you can communicate with AWS from CircleCI without saving static credentials (e.g., AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) in your CircleCI project settings or a context. Removing static credentials, especially in light of the early 2023 breach, is a best practice for security.
Install the package:
npm install @blimmer/cdk-circleci-oidc or yarn add @blimmer/cdk-circleci-oidcThen, create the provider and role(s).
import{Stack,StackProps}from"aws-cdk-lib";import{CircleCiOidcProvider,CircleCiOidcRole}from"@blimmer/cdk-circleci-oidc";import{Construct}from"constructs";import{ManagedPolicy,PolicyStatement}from"aws-cdk-lib/aws-iam";import{Bucket}from"aws-cdk-lib/aws-s3";exportclassCircleCiStackextendsStack{constructor(scope: Construct,id: string,props?: StackProps){super(scope,id,props);// The provider is only created _once per AWS account_. It might make sense to define this in a separate stack// that defines more global resources. See below for how to use import the provider in stacks that don't define it.constprovider=newCircleCiOidcProvider(this,"OidcProvider",{// Find your organization ID in the CircleCI dashboard under "Organization Settings"organizationId: "11111111-2222-3333-4444-555555555555",});constmyCircleCiRole=newCircleCiOidcRole(this,"MyCircleCiRole",{ provider,roleName: "MyCircleCiRole",// Pass some managed policies to the rolemanagedPolicies: [ManagedPolicy.fromAwsManagedPolicyName("AmazonS3ReadOnlyAccess")],});// You can work with the CircleCI role like any other rolemyCircleCiRole.addToPolicy(newPolicyStatement({actions: ["s3:ListAllMyBuckets"],resources: ["*"],}),);// Including using `.grant` convenience methodsconstbucket=newBucket(this,"MyBucket");bucket.grantRead(myCircleCiRole);}}Now, in your .circleci/config.yml file, you can use the AWS CLI Orb to assume your new role.
version: 2.1orbs: aws-cli: circleci/[email protected]# https://circleci.com/developer/orbs/orb/circleci/aws-cliworkflows: version: 2build: jobs: - oidc-job: context: oidc-assumption # You _must_ use a context, even if it doesn't contain any secrets (see https://circleci.com/docs/openid-connect-tokens/#openid-connect-id-token-availability)jobs: oidc-job: docker: - image: cimg/base:stablesteps: - checkout# https://circleci.com/developer/orbs/orb/circleci/aws-cli#commands-setup - aws-cli/setup: role_arn: "arn:aws:iam::123456789101:role/MyCircleCiRole" - run: name: List S3 Bucketscommand: aws s3 lsThe CircleCiOidcProvider is only created once per account. You can use the CircleCiOidcProvider.fromOrganizationId method to import a previously created provider into any stack.
import{Stack,StackProps}from"aws-cdk-lib";import{CircleCiOidcRole,CircleCiOidcProvider}from"@blimmer/cdk-circleci-oidc";import{Construct}from"constructs";exportclassMyStackextendsStack{constructor(scope: Construct,id: string,props?: StackProps){super(scope,id,props);constmyCircleCiRole=newCircleCiOidcRole(this,"MyCircleCiRole",{provider: CircleCiOidcProvider.fromOrganizationId(this,"11111111-2222-3333-4444-555555555555"),roleName: "MyCircleCiRole",});}}For detailed API docs, see API.md.
This package is available for Python as cdk-circleci-oidc.
pip install cdk-circleci-oidcThe API can be expected to change between major versions. Please consult the UPGRADING docs for for information.
Contributions, issues, and feedback are welcome!