Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Solutions Architecture / 21 Aug 2023
GitLab / Solutions Architecture / 21 Aug 2023
Previous Meeting
Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Setting up OIDC to Get Credentials from Amazon Web Services

Description

Helpful Links:
GitLab Sandbox Cloud: https://gitlabsandbox.cloud/cloud
Sample Project: https://cs.gitlabdemo.cloud/jphilbin-group/configure-openid-connect-in-aws
Documentation: https://docs.gitlab.com/ee/ci/cloud_services/aws/

A

Hi, my name is Jamie Philbin and I'm, a Solutions architect with gitlab today, I'm going to show you how to successfully leverage openid connect to retrieve credentials from AWS within the gitlab CI CD pipeline once you've followed my example: you'll have a job that runs where you have an output of your credential from AWS like shown here, let's get started within gitlab's documentation. We've already got a really great tutorial on how to set this up, and it's split into three steps. First, we need to add an identity provider to AWS.

A

Next we have to configure a role and optionally a trust policy within AWS and then, lastly, retrieve our temporary credential Within gitlab. Let's start by going to AWS and adding an identity provider you'll see I'm already signed into AWS and I'm in the IAM dashboard under access management.

A

We want to navigate first to Identity providers, you'll see here that I've already got gitlab's demo Cloud environment set up as an identity provider, but I'll show you what it looks like if we are going to add gitlab.com so under provider top, you want to select openid connect and under the provider URL https gitlab.com make sure to not include a any slashes forward. Slashes at the end of gitlab.com same thing for the audience gitlab.com we select get thumbprint and then add provider.

A

Very quick, very easy, and now we've added gitlab.com is an identity provider with an AWS. Next, let's make a policy that we want to use with our role to retrieve credentials from AWS go over to create policy. We want to select simple token service STS for the actions allowed. We want to assume roll with web identity and for resources, I'll just specify all for demo purposes for the policy name I'm going to give it a name of video oidc policy and create our policy.

A

Next, let's make a web identity rule that this policy will be attached to go over to create role and under trusted entity type. We want to select web identity, we've got a selected provider and you'll see at the bottom. We've got: gitlabs demo, Cloud, environment and gitlab.com as potential identity providers that we added earlier I'm, going to select gitlabs demo, Cloud environment, same thing for the audience and then for permissions policies.

A

We can select our video oidc policy they've created earlier, or you could create a new policy right there for role, name I'm, going to call this video oidc role and create our role.

A

And you'll see it down here. Let's make note of this Arn we're going to need a little bit later. Let's set up a project now in gitlab to retrieve our credential from AWS.

A

I'm going to make a new project blank project that I'll call it video oidc.

A

Once that's complete, let's go to our ciml editor and configure our pipeline I'm, going to get rid of everything there and I'll leave a link in the description to a sample project uh with this.

A

These contents of the ciml, but essentially what this is doing, is I've declared two variables: AWS default region and AWS profile, so AWS default regions because specify which default region we want to use to retrieve our credential I've selected, Us East, one Northern, Virginia and then AWS profile is specifying the AWS profile to use self-explanatory and we're setting that to oidc the actual oidc example job. That's using the AWS CLI to interact with AWS services and the ID tokens section uh this job.

A

It's going to Define an ID token that we're going to call my oidc token, and this is going to be used to actually authenticate with AWS and then in our script, section. I'm, writing the AWS STS caller identity command, and this will retrieve the identity of the current user. Using the web identity role. We set up in AWS, so I'll commit these changes to a pipeline, but this pipeline is going to fail and that's because we're not done here, we need to set up a few CI CD variables.

A

So once we head to variables we'll get started with adding these first I'm going to add a roll Arn now I could have added this role, Arn to our ciml but I'm, putting it in our project level, CI CD settings- and this is basically a security consideration, project level variables right, they're stored in gitlab, but they're encrypted in Russian Transit. So this this is a sensitive secret and this is just a more secure way of handling it within our gitlab project. Also right now, this role the way I have it configured.

A

uh Anybody with the role Arn actually would be able to use it to retrieve credentials from AWS and I'll. Show you a little bit later how we can lock that down, but for now let's go back to AWS and copy our role, Arn and paste it in here make sure we've type set to variable and we'll add this variable.

A

Next, what we're going to do is add a web identity. Token.

A

And the value of this we're going to Nest the my oidc token variable from our ciml file.

A

My oidc token and then make sure to wrap that in curly braces and then also make sure to set this as a file type variable foreign and then finally, we have an AWS config file variable and so for the value of this, it's going to be a little bit. Bigger first is square brackets profile, oidc.

A

On the next line, we want to Nest our role, Arn variable, so we're going to say, roll Arn equals and then our role, Arn variable.

A

Wrap that in curly braces and then on our last line web identity token file equals and then we're going to Nest our web identity. Token variable.

A

Web identity.

A

Token and again make sure this is set to a file type variable.

A

So now, we've added three variables: AWS config file as a file type, our role, Arn and then another file type variable for web identity. Token, let's take a look at that pipeline that ran we'll see that it failed. Let's run it one more time now that we've added our three project level, cic variables.

A

Go into the job, this should complete pretty quickly, usually under 30 seconds. In my case,.

A

And you'll see: we've successfully retrieved a credential from AWS using open ID connect, um so, like I, said earlier right, this role that we've set up right now this can be used by anybody to retrieve a credential from AWS uh within my AWS account. Let's lock this down uh just to end our video and I'll show you what that looks like: let's go back to the IM console and our video oidc role, which we created, and we want to navigate over to trust relationships and edit our trust policy right now.

A

This role is going to work on any group project, Branch subgroup, whatever it may be in the gitlab demo Cloud environment here, but, let's just say, I want to lock it down to the J Philbin group that I have set up on my own account and then a security group also that I have set up we'll update our policy.

A

Let's go back to gitlab and run this pipeline one more time.

A

So we've changed this so that this role should only run on the J Philbin, Security, Group and you'll see that we've got an access denied error that gets thrown now when we want to use our web identity role. So thank you for, following with my video on retrieving an openid credential from AWS or using openid Azure retriever credential from AWS I hope you found this really helpful and goodbye. Thank you.