labadmin/proyectosacc-mirror
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3e215f866fd77aa6da825ad23e07b414b74230f3
proyectosacc-mirror/scripts/aws-oidc-setup.sh
T
Evert Daniel Romero Garrido 744c5d1413 feat(iam): implementa autenticación OIDC entre Bitbucket Pipelines y AWS 
- Agrega aws_iam_openid_connect_provider y roles IAM para DEV/PROD
- Actualiza bitbucket-pipelines.yml para usar OIDC en steps 03, 05, 07
- Crea script helper scripts/aws-oidc-setup.sh
- Agrega provider tls en terraform/provider.tf
- Documenta el flujo completo en docs/14-oidc-bitbucket-aws.md

Elimina la dependencia de AWS_ACCESS_KEY_ID y AWS_SECRET_ACCESS_KEY
estáticos en el pipeline, permitiendo autenticación sin credenciales
de larga vida via AssumeRoleWithWebIdentity.

Refs: cuenta DEV 668889063715, PROD 523761210517
2026-04-15 12:50:31 -06:00

43 lines
1.5 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# ===============================================================================================================
# aws-oidc-setup.sh - Configura credenciales AWS via OIDC para Bitbucket Pipelines
# Descripción:
# Exporta las variables necesarias para que AWS CLI y Terraform usen
# el token OIDC de Bitbucket y asuman el rol IAM correspondiente.
#
# Uso:
# source scripts/aws-oidc-setup.sh <dev|prod>
#
# Requiere:
# - El step de bitbucket-pipelines.yml debe tener "oidc: true"
# - AWS CLI moderno que soporte AWS_WEB_IDENTITY_TOKEN_FILE
# ===============================================================================================================
set -euo pipefail
ENV="${1:-dev}"
if [[ -z "${BITBUCKET_STEP_OIDC_TOKEN:-}" ]]; then
echo "ERROR: BITBUCKET_STEP_OIDC_TOKEN no está definido."
echo "Asegúrate de agregar 'oidc: true' al step en bitbucket-pipelines.yml"
exit 1
fi
export AWS_WEB_IDENTITY_TOKEN_FILE="$(pwd)/web-identity-token"
printf '%s' "${BITBUCKET_STEP_OIDC_TOKEN}" > "${AWS_WEB_IDENTITY_TOKEN_FILE}"
if [[ "$ENV" == "prod" ]]; then
export AWS_ROLE_ARN="arn:aws:iam::523761210517:role/BitbucketProyectosaccCICDRoleProd"
else
export AWS_ROLE_ARN="arn:aws:iam::668889063715:role/BitbucketProyectosaccCICDRoleDev"
fi
export AWS_DEFAULT_REGION="mx-central-1"
echo "=== AWS OIDC Setup ==="
echo "Ambiente : $ENV"
echo "Role ARN : $AWS_ROLE_ARN"
echo "Region : $AWS_DEFAULT_REGION"
echo "Token file: $AWS_WEB_IDENTITY_TOKEN_FILE"
echo "======================"
Reference in New Issue View Git Blame Copy Permalink