proyectosacc-mirror

labadmin/proyectosacc-mirror

Fork 0

Commit Graph

Author	SHA1	Message	Date
Evert Daniel Romero Garrido	18b436e582	fix(oidc): install AWS CLI v2 inside aws-oidc-setup.sh if missing	2026-04-16 11:42:54 -06:00
Evert Daniel Romero Garrido	ec40b94795	fix(oidc): explicit STS assume-role for Terraform S3 backend compatibility The previous script only exported AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN, expecting AWS CLI/Terraform to pick them up automatically. However, Terraform's S3 backend does not use these variables implicitly. Now we explicitly call 'aws sts assume-role-with-web-identity', parse the JSON response, and export the temporary credentials: - AWS_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY - AWS_SESSION_TOKEN Also exports AWS_REGION for Terraform S3 backend compatibility. Fixes pipeline failure in step 03_terraform with: InvalidIdentityToken: Incorrect token audience	2026-04-16 11:20:59 -06:00
Evert Daniel Romero Garrido	744c5d1413	feat(iam): implementa autenticación OIDC entre Bitbucket Pipelines y AWS - Agrega aws_iam_openid_connect_provider y roles IAM para DEV/PROD - Actualiza bitbucket-pipelines.yml para usar OIDC en steps 03, 05, 07 - Crea script helper scripts/aws-oidc-setup.sh - Agrega provider tls en terraform/provider.tf - Documenta el flujo completo en docs/14-oidc-bitbucket-aws.md Elimina la dependencia de AWS_ACCESS_KEY_ID y AWS_SECRET_ACCESS_KEY estáticos en el pipeline, permitiendo autenticación sin credenciales de larga vida via AssumeRoleWithWebIdentity. Refs: cuenta DEV 668889063715, PROD 523761210517	2026-04-15 12:50:31 -06:00

Author

SHA1

Message

Date

Evert Daniel Romero Garrido

18b436e582

fix(oidc): install AWS CLI v2 inside aws-oidc-setup.sh if missing

2026-04-16 11:42:54 -06:00

Evert Daniel Romero Garrido

ec40b94795

fix(oidc): explicit STS assume-role for Terraform S3 backend compatibility

The previous script only exported AWS_WEB_IDENTITY_TOKEN_FILE and
AWS_ROLE_ARN, expecting AWS CLI/Terraform to pick them up automatically.
However, Terraform's S3 backend does not use these variables implicitly.

Now we explicitly call 'aws sts assume-role-with-web-identity',
parse the JSON response, and export the temporary credentials:
- AWS_ACCESS_KEY_ID
- AWS_SECRET_ACCESS_KEY
- AWS_SESSION_TOKEN

Also exports AWS_REGION for Terraform S3 backend compatibility.

Fixes pipeline failure in step 03_terraform with:
InvalidIdentityToken: Incorrect token audience

2026-04-16 11:20:59 -06:00

Evert Daniel Romero Garrido

744c5d1413

feat(iam): implementa autenticación OIDC entre Bitbucket Pipelines y AWS

- Agrega aws_iam_openid_connect_provider y roles IAM para DEV/PROD
- Actualiza bitbucket-pipelines.yml para usar OIDC en steps 03, 05, 07
- Crea script helper scripts/aws-oidc-setup.sh
- Agrega provider tls en terraform/provider.tf
- Documenta el flujo completo en docs/14-oidc-bitbucket-aws.md

Elimina la dependencia de AWS_ACCESS_KEY_ID y AWS_SECRET_ACCESS_KEY
estáticos en el pipeline, permitiendo autenticación sin credenciales
de larga vida via AssumeRoleWithWebIdentity.

Refs: cuenta DEV 668889063715, PROD 523761210517

2026-04-15 12:50:31 -06:00

3 Commits