Skip to content

Instantly share code, notes, and snippets.

@paulmarsicloud
Created September 4, 2022 04:38
Show Gist options
  • Save paulmarsicloud/bbdd247d1a95af0fe92f75f5d7c3ba4e to your computer and use it in GitHub Desktop.
Save paulmarsicloud/bbdd247d1a95af0fe92f75f5d7c3ba4e to your computer and use it in GitHub Desktop.
.circleci/config.yml with OIDC Identity Provider instead of IAM Credentials
version: 2.1
jobs:
www:
docker:
- image: paulmarsicloud/hexo-aws:2.1
environment:
AWS_DEFAULT_REGION: <ENTER YOUR REGION HERE>
AWS_ROLE_ARN: <ENTER YOUR IAM ROLE ARN HERE>
working_directory: ~/hexo-cloudonmymindblog
steps:
- checkout
- run:
name: Generate static website
command: hexo generate
- run:
name: authenticate-and-interact, Push to S3 bucket, Invalidate CloudFront
command: |
# use the OpenID Connect token to obtain AWS credentials
read -r AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN \<<< \
$(aws sts assume-role-with-web-identity \
--role-arn ${AWS_ROLE_ARN} \
--role-session-name "CircleCI-${CIRCLE_WORKFLOW_ID}-${CIRCLE_JOB}" \
--web-identity-token $CIRCLE_OIDC_TOKEN \
--duration-seconds 3600 \
--query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' \
--output text)
export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
# interact with AWS
aws sts get-caller-identity --no-cli-pager
cd public/ && aws s3 sync . s3://www.thecloudonmymind.com
aws cloudfront create-invalidation --distribution-id <REDACTED> --paths "/*" --no-cli-pager
workflows:
version: 2
build_and_deploy:
jobs:
- www:
context:
- cloudonmymind-web
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment