Community
Products
Bamboo
Questions
How to secure AWS credentials by Projects

How to secure AWS credentials by Projects

I have added AWS credentials in Bamboo for code deployment. This credentials is shared to all other deployment projects.

But, I want restrict only for certain deployment projects. How could I do that?

I checked this link, https://confluence.atlassian.com/bamboo/shared-credentials-424313357.html#Sharedcredentials-edit_shared_credentials

It says I could edit, add or delete the credentials. I want to make it available for only certain projects.

1 answer

1 accepted

2 votes

Answer accepted

I'm afraid Bamboo shared credentials do not support such granular scopes at this point - please watch and vote for the following issues to in increase Atlassian's priority for these improvements:

Potential workaround

Depending on your specific requirements, you may be able to work around the problem via user groups and a third-party app as follows:

Reuse/Create an appropriate group that restricts deployment permissions to applicable users as desired.
Rather than using Bamboo's native shared AWS credentials feature, you could use our (commercial) Identity Federation for AWS (Bamboo) app where you can scope AWS credentials by user group, which has the following benefits and constraints:

Disclaimer: I'm a co-founder of the app's creator Utoolity.
If you use the same group as in 1. when configuring the AWS Connector, you effectively limit user access to the AWS credentials in question as desired (but see below).
- Note that builds and deployments are usually executed without an active user session, which is why you need to assign System scope to allow connector usage from elevated code. Users without access to a connector can execute resp. builds/deployments, but cannot access the underlying AWS credentials directly (see below).
The app also creates temporary AWS security credentials rather than using the long-term AWS credentials directly (the latter is strongly discouraged from an IAM security best practices point of view).
You can inject these temporary AWS credentials into other tasks as outlined on Using the AWS Credentials Variables task in Bamboo and How to provide temporary AWS credentials to the AWS Command Line Interface (AWS CLI) via Bamboo variables.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Thanks @Steffen Opel _Utoolity_

I did vote for that JIRA ticket. Meanwhile I saw a plugin from Utoolity to inject temporary AWS credentials.

Will it help for code deployment?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like • Steffen Opel _Utoolity_ likes this

Hi @Purushothaman_Anbazhagan

I've updated my answer with a potential workaround based on our Identity Federation for AWS (Bamboo) app, which you can also 'just' use standalone to manage and use AWS credentials - conceptually it is a 'shared' app though and bundled for free with our other AWS integrations (works automatically), like the one you linked:

Depending on your scenario, Tasks for AWS (Bamboo) should indeed be able to help with code deployments, insofar its main feature set allows to provision and operate Amazon Web Services resources from Bamboo build and deployment projects. You can always try it for free and see whether it matches your requirements.

Cheers,
Steffen

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like • like this

Thanks @Steffen Opel _Utoolity_

Let me check this out!

Cheers,
Purushothaman

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hi All, @Steffen Opel _Utoolity_ @Purushothaman Anbazhagan

Thanks for the info. My question is also related to Identity Federation for AWS and how to use temporary AWS credentials in Tasks for AWS(Bamboo).

We want to use Bamboo running on-premise which does the build and then, via, SAML/Active Directory to obtain temporary credentials, then assume AWS provisioned cd-deploy role to fulfill the deployment.

We just installed Free Trial of Tasks for AWS (Bamboo) which includes Identity Federation for AWS, but I am not seeing any related section with hints to connect to SAML iDP to get the temp credentials.

Any recommendations?

Thanks

Shao

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hi @Shao Cai,

Welcome to the Atlassian Community!

I see that you have meanwhile asked this as a dedicated question About SAML 2.0-based Federation and Bamboo's solution for AWS deployment (very helpful, thanks!), so I'll provide an answer there later today.

Cheers,
Steffen

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Thanks Steffen, we want to explore more CI/CD tools except Jenkins, Bamboo is the one we are looking at as we are already using other Atlassian tool suites. If you want more info, I will be happy to discuss. Thanks

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Forums

Product Q&A

Community resources

Support

Top groups

Community resources

Support

Learn

Community resources

Support

Events

Community resources

Support

How to secure AWS credentials by Projects

1 answer

1 accepted

Suggest an answer

Was this helpful?

Thanks!

TAGS

Atlassian Community Events

Forums

Product Q&A

Community resources

Support

Top groups

Community resources

Support

Learn

Community resources

Support

Events

Community resources

Support

How to secure AWS credentials by Projects

1 answer

1 accepted

Suggest an answer

Was this helpful?

Thanks!

TAGS

Atlassian Community Events

Welcome to the new Atlassian Community