DEVHIDE
Login Or Sign up

Github Actions aws-actions/configure-aws-credentials with multiple accounts for deploy and state backend

817 Views Asked by At

I'm trying to setup a CI pipeline on Github Actions that could support multiple aws accounts.

I have a "dev" account for deploying all the dev infrastructure and an "admin" account in which we manage terraform state (in an S3 bucket) for multiple projects, including this one.

So when deploying with CDKTF I must access with two accounts: one for the aws provider, that will perform the deploy, and another one to access the bucket holding the state.

I created two roles in the two accounts separately as explained on the aws-actions/configure-aws-credentials repository and configured the CI like this


      - name: Configure AWS Credentials for Dev
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: $AWS_REGION
          role-to-assume: ${{ secrets.CI_ROLE_ARN_DEV }}
          role-session-name: dev-session

      - name: Configure AWS Credentials for Admin 
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-region: $AWS_REGION
          role-to-assume: ${{ secrets.CI_ROLE_ARN_ADMIN }}
          role-session-name: admin-session

But when running cdktf deploy I get the error failed to get shared config profile, dev where dev is the name of the profile specified in the AwsProvider like this

        const provider = new AwsProvider(this, 'aws-provider', {
            region: awsRegion,
            profile: 'dev'
        });

In fact, when executing aws sts get-caller-identity in GH Actions it outputs like it's logged as the admin account, becuse it's the last one I configured.

I don't know how I can tell Github to manage both accounts at the same time.

Keep in mind: when deploying locally, if I login via sso (aws sso login --profile <profile-name>) with both profiles, I can deploy everything with no problem at all.

Following another stackoverflow question (that I can't find right now), I tried configuring the profiles like this directly in the CI


- name: Configure aws credentials
  run: |
    aws configure set aws_access_key_id ${{ secrets.AWS_ACCESS_KEY_ID_DEV }} --profile dev
    aws configure set aws_secret_access_key ${{ secrets.AWS_SECRET_ACCESS_KEY_DEV }} --profile dev
    aws configure set aws_access_key_id ${{ secrets.AWS_ACCESS_KEY_ID_ADMIN }} --profile admin
    aws configure set aws_secret_access_key ${{ secrets.AWS_SECRET_ACCESS_KEY_ADMIN }} admin
    cat "$AWS_SHARED_CREDENTIALS_FILE"

and despite it cating the right information, when cdktf deploying I get the following

error configuring S3 Backend: no valid credential sources for S3 Backend found.

Also when calling aws sts get-caller-identity on both profiles i always get An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid.

amazon-web-services terraform terraform-provider-aws aws-credentials terraform-cdk
Original Q&A
0

There are 0 best solutions below

Related Questions in AMAZON-WEB-SERVICES

Related Questions in TERRAFORM

Related Questions in TERRAFORM-PROVIDER-AWS

Related Questions in AWS-CREDENTIALS

Related Questions in TERRAFORM-CDK

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.