assume-role-with-web-identity in dockerfile

115 views Asked by At

I have the following lines in my Dockerfile:

RUN aws sts assume-role-with-web-identity \
--role-arn ${AWS_ROLE_ARN} \
--role-session-name "test" \
--web-identity-token "$(cat /tmp/tokenfile)" \
--query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
--output text | awk '{print "export AWS_ACCESS_KEY_ID="$1"\nexport AWS_SECRET_ACCESS_KEY="$2"\nexport AWS_SESSION_TOKEN="$3}' \
&& aws s3 ls

Unfortunately, I got the following error when trying to run aws s3 ls: An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied

I took the temporary credentials and used them locally, they work without problem.

The workaround I tried is to redirect the access key, secret access key and session token to .aws/credentials file instead of creating env vars and it works. But for security reasons I don't want to redirect the output to a file.

Do you have any advice regarding my issue?

0

There are 0 answers