From ec40b947950275e7478a89da7b64c1145eea5f50 Mon Sep 17 00:00:00 2001
From: Evert Daniel Romero Garrido <evert@ciaii.edu.mx>
Date: Thu, 16 Apr 2026 11:20:59 -0600
Subject: [PATCH] fix(oidc): explicit STS assume-role for Terraform S3 backend
 compatibility

The previous script only exported AWS_WEB_IDENTITY_TOKEN_FILE and
AWS_ROLE_ARN, expecting AWS CLI/Terraform to pick them up automatically.
However, Terraform's S3 backend does not use these variables implicitly.

Now we explicitly call 'aws sts assume-role-with-web-identity',
parse the JSON response, and export the temporary credentials:
- AWS_ACCESS_KEY_ID
- AWS_SECRET_ACCESS_KEY
- AWS_SESSION_TOKEN

Also exports AWS_REGION for Terraform S3 backend compatibility.

Fixes pipeline failure in step 03_terraform with:
InvalidIdentityToken: Incorrect token audience
---
 scripts/aws-oidc-setup.sh | 37 ++++++++++++++++++++++++++++++-------
 1 file changed, 30 insertions(+), 7 deletions(-)

diff --git a/scripts/aws-oidc-setup.sh b/scripts/aws-oidc-setup.sh
index 37b2203..06b5038 100755
--- a/scripts/aws-oidc-setup.sh
+++ b/scripts/aws-oidc-setup.sh
@@ -2,15 +2,17 @@
 # ===============================================================================================================
 # aws-oidc-setup.sh - Configura credenciales AWS via OIDC para Bitbucket Pipelines
 # Descripción:
-#       Exporta las variables necesarias para que AWS CLI y Terraform usen
-#       el token OIDC de Bitbucket y asuman el rol IAM correspondiente.
+#       Obtiene credenciales temporales de AWS explícitamente mediante
+#       assume-role-with-web-identity y exporta las variables necesarias
+#       para que Terraform (incluyendo su backend S3) y AWS CLI funcionen.
 #
 # Uso:
 #       source scripts/aws-oidc-setup.sh <dev|prod>
 #
 # Requiere:
 #       - El step de bitbucket-pipelines.yml debe tener "oidc: true"
-#       - AWS CLI moderno que soporte AWS_WEB_IDENTITY_TOKEN_FILE
+#       - AWS CLI v2 instalado
+#       - python3 disponible para parsear JSON
 # ===============================================================================================================
 
 set -euo pipefail
@@ -32,11 +34,32 @@ else
   export AWS_ROLE_ARN="arn:aws:iam::668889063715:role/BitbucketProyectosaccCICDRoleDev"
 fi
 
+SESSION_NAME="bitbucket-pipelines-proyectosacc-${ENV:-dev}-${BITBUCKET_BUILD_NUMBER:-unknown}"
 export AWS_DEFAULT_REGION="mx-central-1"
 
 echo "=== AWS OIDC Setup ==="
-echo "Ambiente : $ENV"
-echo "Role ARN : $AWS_ROLE_ARN"
-echo "Region   : $AWS_DEFAULT_REGION"
-echo "Token file: $AWS_WEB_IDENTITY_TOKEN_FILE"
+echo "Ambiente      : $ENV"
+echo "Role ARN      : $AWS_ROLE_ARN"
+echo "Region        : $AWS_DEFAULT_REGION"
+echo "Session Name  : $SESSION_NAME"
+echo "Token file    : $AWS_WEB_IDENTITY_TOKEN_FILE"
+echo "Obteniendo credenciales temporales via STS..."
+
+CREDS=$(aws sts assume-role-with-web-identity \
+  --role-arn "$AWS_ROLE_ARN" \
+  --role-session-name "$SESSION_NAME" \
+  --web-identity-token "file://${AWS_WEB_IDENTITY_TOKEN_FILE}" \
+  --duration-seconds 3600 \
+  --output json)
+
+export AWS_ACCESS_KEY_ID=$(echo "$CREDS" | python3 -c "import sys,json; print(json.load(sys.stdin)['Credentials']['AccessKeyId'])")
+export AWS_SECRET_ACCESS_KEY=$(echo "$CREDS" | python3 -c "import sys,json; print(json.load(sys.stdin)['Credentials']['SecretAccessKey'])")
+export AWS_SESSION_TOKEN=$(echo "$CREDS" | python3 -c "import sys,json; print(json.load(sys.stdin)['Credentials']['SessionToken'])")
+
+# Terraform S3 backend requiere estas variables explícitas
+export AWS_REGION="${AWS_DEFAULT_REGION}"
+
+echo "Credenciales obtenidas exitosamente."
+echo "AWS_ACCESS_KEY_ID     : ${AWS_ACCESS_KEY_ID:0:8}..."
+echo "AWS_SESSION_TOKEN     : ${AWS_SESSION_TOKEN:0:8}..."
 echo "======================"