Skip to content

whs-dot-hk/bazel_aws_credentials

BranchesTags

Repository files navigation

Getting started

Create credentials

credentials
---
[my-prod]
aws_access_key_id = ...
aws_secret_access_key = ...

Update BUILD

Replace [aws-account-id], [aws-iam-username] and [aws-iam-role-name]

BUILD
---
...

load("profile.bzl", "assume_role", "credentials", "get_session_token", "profile")
load("otp.bzl", "gopass_otp")

gopass_otp(
    name = "my-prod-otp",
    entry = "Account/aws.amazon.com/my-prod",
)

profile(
    name = "my-prod",
    credentials = ":credentials",
)

get_session_token(
    name = "my-prod-sts",
    profile = ":my-prod",
    serial_number = "arn:aws:iam::[aws-account-id]:mfa/[aws-iam-username]",
    otp = ":my-prod-otp",
)

assume_role(
    name = "my-prod-role",
    profile = ":my-prod-sts",
    role_arn = "arn:aws:iam::[aws-account-id]:role/[aws-iam-role-name]",
)

credentials(
    name = "output_credentials",
    profiles = [
        ":my-prod-sts",
        ":my-prod-role",
    ],
)

Build :output_credentials

# Clean up expired credentials
rm -rf bazel-out/k8-fastbuild/bin
# Unlock gopass
gopass my-prod
bazel build //:output_credentials

Quick guide

Create Passwords.kdbx

# Clone bazel_aws_credentials
git clone https://github.com/whs-dot-hk/bazel_aws_credentials.git
cd bazel_aws_credentials
# Append credentials
tee -a credentials > /dev/null <<EOF
[my-prod]
aws_access_key_id = ...
aws_secret_access_key = ...
EOF
# Create password.txt
echo "newpassword" > password.txt
# Append BUILD
tee -a BUILD > /dev/null <<EOF

load("profile.bzl", "credentials", "get_session_token", "profile")
load("otp.bzl", "kpotp_otp")

kpotp_otp(
    name = "my-prod-otp",
    kdbx = ":Passwords.kdbx",
    password_file = ":password.txt",
    entry = "my-prod",
)

profile(
    name = "my-prod",
    credentials = ":credentials",
)

get_session_token(
    name = "my-prod-sts",
    profile = ":my-prod",
    serial_number = "arn:aws:iam::[aws-account-id]:mfa/[aws-iam-username]",
    otp = ":my-prod-otp",
)

credentials(
    name = "output_credentials",
    profiles = [
        ":my-prod-sts",
    ],
)
EOF
# Build output_credentials
tee build.sh > /dev/null <<EOF
rm -rf bazel-out/k8-fastbuild/bin
bazel build //:output_credentials
EOF
sh build.sh

Docker

docker pull amazon/aws-cli:2.0.54
docker_run_flags=-v$(pwd)/bazel-bin/output_credentials:/my_aws_credentials\ -eAWS_SHARED_CREDENTIALS_FILE=/my_aws_credentials

Get caller identity

docker run -it --entrypoint= $docker_run_flags amazon/aws-cli:2.0.54 aws sts get-caller-identity --profile=my-prod-sts

List s3

docker run -it --entrypoint= $docker_run_flags amazon/aws-cli:2.0.54 aws s3 ls --profile=aqt-prod-sts --region=ap-east-1
unset docker_run_flags

Kpcli

load("otp.bzl", "kpcli_otp")

kpcli_otp(
    name = "test-otp",
    kdb = ":test.kdbx",
    # pwfile contains the master password of test.kdbx
    pwfile = ":password",
    entry = "Internet/test",
)

About

No description or website provided.

Topics

python golang aws bazel hacktoberfest awscli keepassxc aws-credentials aws-profile gopass hacktoberfest2020 kpcli

Resources

Readme
Activity

Stars

0 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages