Greetings,
I have this pipeline:
common:
- aws_assume_deployer_role: &aws_role
aws-assume-role-with-web-identity:
role-arn: arn:aws:iam::<REDACTED>:role/deploy
- vault: &vault
PropellerAero/vault-secrets#e1c3029:
auth:
role: deployer
path: app-secrets/development/platform-infrastructure/deployment
env:
VAULT_ADDR: <REDACTED>
steps:
- label: "AWS assume role and Vault login"
agents:
stage: "development"
command: bash -c 'aws sts get-caller-identity ; env'
plugins:
- *aws_role
- *vault
The plugins are:
- GitHub - buildkite-plugins/aws-assume-role-with-web-identity-buildkite-plugin: A Buildkite plugin to assume-role-with-web-identity using a Buildkite OIDC token before running the build command
- GitHub - PropellerAero/vault-secrets-buildkite-plugin: Vault Secrets Environment Plugin for Buildkite using the AWS Auth method
I am expecting the assumed AWS role deploy to stick, at least within the context of the step, but this is not the case. By the time the second (vault-secrets) plugin’s hooks are executed, it seems that the agent’s AWS credentials have reverted to the original one:
So the first plugin works great:
:aws: Assuming role using OIDC token
Role ARN: arn:aws:iam::<REDACTED>:role/deploy
Assumed role: <REDACTED>
But then Vault is telling me that the agent is hitting it with the original AWS role, which is the general agent role configured in the Elastic AWS stack and not the one assumed just prior:
error validating instance: IAM role ARN "arn:aws:iam::<REDACTED>:role/buildkite-development-agent-node-role" does not satisfy the constraint role "deployer"
The Vault plugin is using the AWS_* credentials from the environment; that’s what I mean by the revert back to that original agent IAM role.
I’d appreciate your help.