This orb can be used to rotate AWS access keys and update corresponding CircleCI environment variables. A common use case would be to set up a scheduled CircleCI job which rotates access keys for the used user.
Note:
CircleCI used to allow for AWS credentials to be entered separately, not as environment variables.
If set these will be used by builds in preference of any AWS credentials that are set as environment variables.
This can cause build failures after this Orb has rotated the environment variable values.
Before using this Orb you should check that there are no AWS Credentials set on the deprecated settings page in CircleCI.
The settings page is now hidden but can be accessed on a link similar to this:
https://circleci.com/gh/ovotech/<project name>/edit#aws
This orb defines a small 'default' executor for running the aws commands. Any container that has aws cli, curl and jq can be used to run this orb.
This is the only command available in this orb. It rotates the AWS access keys for the user specified as the aws-username parameter. In addition of rotating the keys, this command also updates the corresponding environment variables. In order to run this command, you need to make sure that the aws cli client is already authenticated.
Parameters
aws-username- user name of the AWS account you want to rotate keys forcircleci-token- CircleCI API token used to update environment variablesaws-access-key-id-var- name of the CircleCI environment variable which holds a value of the aws access key id, e.g.AWS_ACCESS_KEY_IDaws-secret-access-key-var- name of the CircleCI environment variable which holds a value of the aws secret access key, e.g.AWS_SECRET_ACCESS_KEY.
Make sure you have the following environment variables set up in CircleCI:
- CircleCI API token, e.g.
CIRCLECI_TOKEN - AWS access key id and a secret access key, e.g.
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEY. Your environment variables can have any name you want as long as you configure the aws cli and refrence correctly the names in the orb parameters (see the examples below).
The following example has the following CircleCI env vars AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY so they are automatically picked up by aws cli.
version: 2.1
orbs:
rotate-aws-keys: ovotech/aws-rotate-keys@1
jobs:
rotate-aws-keys:
executor: rotate-aws-keys/default
steps:
- rotate-aws-keys/rotate:
aws-username: circleci-user
circleci-token: $CIRCLECI_TOKEN
workflows:
version: 2
rotate-weekly:
triggers:
- schedule:
cron: "30 10 * * 3" # Every Wednesday at 10:30 UTC
filters: { branches: { only: master } }
jobs:
- rotate-aws-keysThe following example uses the following CircleCI env variables PROD_AWS_ACCESS_KEY_ID and PROD_AWS_SECRET_ACCESS_KEY which are not automatically picked up by aws cli and therefore you need to set up the credentials manually.
version: 2.1
orbs:
rotate-aws-keys: ovotech/aws-rotate-keys@1
jobs:
rotate-aws-keys:
executor: rotate-aws-keys/default
steps:
- run:
name: Set AWS environment to PROD
command: |
echo 'export AWS_ACCESS_KEY_ID=$PROD_AWS_ACCESS_KEY_ID' >> $BASH_ENV
echo 'export AWS_SECRET_ACCESS_KEY=$PROD_AWS_SECRET_ACCESS_KEY' >> $BASH_ENV
- rotate-aws-keys/rotate:
aws-username: circleci-user
circleci-token: $CIRCLECI_TOKEN
aws-access-key-id-var: PROD_AWS_ACCESS_KEY_ID
aws-secret-access-key-var: PROD_AWS_SECRET_ACCESS_KEY
workflows:
version: 2
rotate-weekly:
triggers:
- schedule:
cron: "30 10 * * 3" # Every Wednesday at 10:30 UTC
filters: { branches: { only: master } }
jobs:
- rotate-aws-keys