#!/bin/bash # =============================================================================================================== # aws-oidc-setup.sh - Configura credenciales AWS via OIDC para Bitbucket Pipelines # Descripción: # Obtiene credenciales temporales de AWS explícitamente mediante # assume-role-with-web-identity y exporta las variables necesarias # para que Terraform (incluyendo su backend S3) y AWS CLI funcionen. # # Uso: # source scripts/aws-oidc-setup.sh # # Requiere: # - El step de bitbucket-pipelines.yml debe tener "oidc: true" # - python3 disponible para parsear JSON # =============================================================================================================== set -euo pipefail if ! command -v aws &> /dev/null; then echo "AWS CLI no encontrado. Instalando AWS CLI v2..." curl -s "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" unzip -q awscliv2.zip ./aws/install --update rm -rf awscliv2.zip aws aws --version fi ENV="${1:-dev}" if [[ -z "${BITBUCKET_STEP_OIDC_TOKEN:-}" ]]; then echo "ERROR: BITBUCKET_STEP_OIDC_TOKEN no está definido." echo "Asegúrate de agregar 'oidc: true' al step en bitbucket-pipelines.yml" exit 1 fi export AWS_WEB_IDENTITY_TOKEN_FILE="$(pwd)/web-identity-token" printf '%s' "${BITBUCKET_STEP_OIDC_TOKEN}" > "${AWS_WEB_IDENTITY_TOKEN_FILE}" if [[ "$ENV" == "prod" ]]; then export AWS_ROLE_ARN="arn:aws:iam::523761210517:role/BitbucketProyectosaccCICDRoleProd" else export AWS_ROLE_ARN="arn:aws:iam::668889063715:role/BitbucketProyectosaccCICDRoleDev" fi SESSION_NAME="bitbucket-pipelines-proyectosacc-${ENV:-dev}-${BITBUCKET_BUILD_NUMBER:-unknown}" export AWS_DEFAULT_REGION="mx-central-1" echo "=== AWS OIDC Setup ===" echo "Ambiente : $ENV" echo "Role ARN : $AWS_ROLE_ARN" echo "Region : $AWS_DEFAULT_REGION" echo "Session Name : $SESSION_NAME" echo "Token file : $AWS_WEB_IDENTITY_TOKEN_FILE" echo "Obteniendo credenciales temporales via STS..." CREDS=$(aws sts assume-role-with-web-identity \ --role-arn "$AWS_ROLE_ARN" \ --role-session-name "$SESSION_NAME" \ --web-identity-token "file://${AWS_WEB_IDENTITY_TOKEN_FILE}" \ --duration-seconds 3600 \ --output json) export AWS_ACCESS_KEY_ID=$(echo "$CREDS" | python3 -c "import sys,json; print(json.load(sys.stdin)['Credentials']['AccessKeyId'])") export AWS_SECRET_ACCESS_KEY=$(echo "$CREDS" | python3 -c "import sys,json; print(json.load(sys.stdin)['Credentials']['SecretAccessKey'])") export AWS_SESSION_TOKEN=$(echo "$CREDS" | python3 -c "import sys,json; print(json.load(sys.stdin)['Credentials']['SessionToken'])") # Terraform S3 backend requiere estas variables explícitas export AWS_REGION="${AWS_DEFAULT_REGION}" echo "Credenciales obtenidas exitosamente." echo "AWS_ACCESS_KEY_ID : ${AWS_ACCESS_KEY_ID:0:8}..." echo "AWS_SESSION_TOKEN : ${AWS_SESSION_TOKEN:0:8}..." echo "======================"