I have this pipeline:
common: - aws_assume_deployer_role: &aws_role aws-assume-role-with-web-identity: role-arn: arn:aws:iam::<REDACTED>:role/deploy - vault: &vault PropellerAero/vault-secrets#e1c3029: auth: role: deployer path: app-secrets/development/platform-infrastructure/deployment env: VAULT_ADDR: <REDACTED> steps: - label: "AWS assume role and Vault login" agents: stage: "development" command: bash -c 'aws sts get-caller-identity ; env' plugins: - *aws_role - *vault
The plugins are:
- GitHub - buildkite-plugins/aws-assume-role-with-web-identity-buildkite-plugin: A Buildkite plugin to assume-role-with-web-identity using a Buildkite OIDC token before running the build command
- GitHub - PropellerAero/vault-secrets-buildkite-plugin: Vault Secrets Environment Plugin for Buildkite using the AWS Auth method
I am expecting the assumed AWS role
deploy to stick, at least within the context of the step, but this is not the case. By the time the second (vault-secrets) plugin’s hooks are executed, it seems that the agent’s AWS credentials have reverted to the original one:
So the first plugin works great:
:aws: Assuming role using OIDC token Role ARN: arn:aws:iam::<REDACTED>:role/deploy Assumed role: <REDACTED>
But then Vault is telling me that the agent is hitting it with the original AWS role, which is the general agent role configured in the Elastic AWS stack and not the one assumed just prior:
error validating instance: IAM role ARN "arn:aws:iam::<REDACTED>:role/buildkite-development-agent-node-role" does not satisfy the constraint role "deployer"
The Vault plugin is using the
AWS_* credentials from the environment; that’s what I mean by the revert back to that original agent IAM role.
I’d appreciate your help.