AWS
- Authentication & Configuration
- STS Assume Role
- Systems Manager (SSM) Parameter Store
- Secrets Manager
- S3 file
Authentication & Configuration
Authenticating with aws
CLI is enough, Novops will use locally available credentials. Specify your AWS credentials as usual (see AWS Programmatic access or Credentials quickstart):
Credentials are loaded in order of priority:
- Environment variables
AWS_ACCESS_KEY_ID
,AWS_SECRET_ACCESS_KEY
, etc. - Config file
.aws/config
and.aws/credentials
- Use IAM Role attached from ECS or EC2 instance
You can also use config
root element override certains configs (such as AWS endpoint), for example:
config:
aws:
endpoint: "http://localhost:4566/" # Use LocalStack endpoint
region: eu-central-1 # Set AWS region name
STS Assume Role
Generate temporary IAM Role credentials with STS AssumeRole:
Note that aws
is an environment
sub-key, not a files
or variables
sub-key as it will output multiple variables AWS_ACCESS_KEY_ID
, AWS_SECRET_ACCESS_KEY
and AWS_SESSION_TOKEN
environments:
dev:
# Output variables to assume IAM Role:
# AWS_ACCESS_KEY_ID
# AWS_SECRET_ACCESS_KEY
# AWS_SESSION_TOKEN
aws:
assume_role:
role_arn: arn:aws:iam::12345678910:role/my_dev_role
source_profile: novops
Systems Manager (SSM) Parameter Store
Retrieve key/values from AWS SSM Parameter Store as env variables or files:
environments:
dev:
variables:
- name: MY_SSM_PARAM_STORE_VAR
value:
aws_ssm_parameter:
name: some-param
# with_decryption: true/false
files:
- name: MY_SSM_PARAM_STORE_FILE
content:
aws_ssm_parameter:
name: some-var-in-file
Secrets Manager
Retrieve secrets from AWS Secrets Manager as env var or files:
environments:
dev:
variables:
- name: MY_SECRETSMANAGER_VAR
value:
aws_secret:
id: my-string-secret
files:
- name: MY_SECRETSMANAGER_FILE
content:
aws_secret:
id: my-binary-secret
S3 file
Load S3 objects as files or environment variables:
environments:
dev:
variables:
- name: S3_OBJECT_AS_VAR
value:
aws_s3_object:
bucket: some-bucket
key: path/to/object
files:
- symlink: my-s3-object.json
content:
aws_s3_object:
bucket: some-bucket
key: path/to/object.json
It's also possible to specify the region in which Bucket is located if different than configured region:
aws_s3_object:
bucket: some-bucket
key: path/to/object
region: eu-central-1