- When the
plugins/aws-oidcplugin is used in a Harness CI pipeline stage, CI Manager automatically retrieves the OIDC token during pipeline execution. This token is passed to thePLUGIN_OIDC_TOKEN_IDenvironment variable. - The plugin uses this token (
PLUGIN_OIDC_TOKEN_ID) to generate temporary AWS credentials, which can be utilized in subsequent steps to perform AWS operations. - These temporary credentials are exported as masked secrets. They can be referenced in later steps using
<+execution.steps.awsOidc.output.outputVariables.AWS_ACCESS_KEY_ID>but cannot be viewed directly. - See the sample pipeline YAML below for a complete example.
steps:
- step:
type: Plugin
name: AWS OIDC Plugin
identifier: awsOidc
spec:
connectorRef: account.harnessImage
image: plugins/aws-oidc:latest
settings:
iamRoleArn: arn:aws:iam::0897867564534:role/op-ansibler
role_session_name: awsoidc
duration: "3600"
- step:
type: Run
name: "Verify AWS Temp Creds"
identifier: Run_1
spec:
shell: Sh
command: |
echo "Printing just the AWS Access Key ID that we retrieved from the last step"
echo <+execution.steps.awsOidc.output.outputVariables.AWS_ACCESS_KEY_ID>
#echo <+execution.steps.awsOidc.output.outputVariables.AWS_SECRET_ACCESS_KEY>
#echo <+execution.steps.awsOidc.output.outputVariables.AWS_SESSION_TOKEN>