I'm trying to setup a CI pipeline on Github Actions that could support multiple aws accounts.
I have a "dev" account for deploying all the dev infrastructure and an "admin" account in which we manage terraform state (in an S3 bucket) for multiple projects, including this one.
So when deploying with CDKTF I must access with two accounts: one for the aws provider, that will perform the deploy, and another one to access the bucket holding the state.
I created two roles in the two accounts separately as explained on the aws-actions/configure-aws-credentials repository and configured the CI like this
- name: Configure AWS Credentials for Dev
uses: aws-actions/configure-aws-credentials@v1
with:
aws-region: $AWS_REGION
role-to-assume: ${{ secrets.CI_ROLE_ARN_DEV }}
role-session-name: dev-session
- name: Configure AWS Credentials for Admin
uses: aws-actions/configure-aws-credentials@v1
with:
aws-region: $AWS_REGION
role-to-assume: ${{ secrets.CI_ROLE_ARN_ADMIN }}
role-session-name: admin-session
But when running cdktf deploy
I get the error failed to get shared config profile, dev
where dev
is the name of the profile specified in the AwsProvider like this
const provider = new AwsProvider(this, 'aws-provider', {
region: awsRegion,
profile: 'dev'
});
In fact, when executing aws sts get-caller-identity
in GH Actions it outputs like it's logged as the admin account, becuse it's the last one I configured.
I don't know how I can tell Github to manage both accounts at the same time.
Keep in mind: when deploying locally, if I login via sso (aws sso login --profile <profile-name>
) with both profiles, I can deploy everything with no problem at all.
Following another stackoverflow question (that I can't find right now), I tried configuring the profiles like this directly in the CI
- name: Configure aws credentials
run: |
aws configure set aws_access_key_id ${{ secrets.AWS_ACCESS_KEY_ID_DEV }} --profile dev
aws configure set aws_secret_access_key ${{ secrets.AWS_SECRET_ACCESS_KEY_DEV }} --profile dev
aws configure set aws_access_key_id ${{ secrets.AWS_ACCESS_KEY_ID_ADMIN }} --profile admin
aws configure set aws_secret_access_key ${{ secrets.AWS_SECRET_ACCESS_KEY_ADMIN }} admin
cat "$AWS_SHARED_CREDENTIALS_FILE"
and despite it cat
ing the right information, when cdktf deploying
I get the following
error configuring S3 Backend: no valid credential sources for S3 Backend found.
Also when calling aws sts get-caller-identity
on both profiles i always get
An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid.