How to secure AWS credentials by Projects

Purushothaman_Anbazhagan May 21, 2019

I have added AWS credentials in Bamboo for code deployment. This credentials is shared to all other deployment projects.

But, I want restrict only for certain deployment projects. How could I do that?

I checked this link, https://confluence.atlassian.com/bamboo/shared-credentials-424313357.html#Sharedcredentials-edit_shared_credentials

It says I could edit, add or delete the credentials. I want to make it available for only certain projects.



 

1 answer

1 accepted

2 votes
Answer accepted
Steffen Opel _Utoolity_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
May 21, 2019

I'm afraid Bamboo shared credentials do not support such granular scopes at this point - please watch and vote for the following issues to in increase Atlassian's priority for these improvements:

Potential workaround

Depending on your specific requirements, you may be able to work around the problem via user groups and a third-party app as follows:

  1. Reuse/Create an appropriate group that restricts deployment permissions to applicable users as desired.
  2. Rather than using Bamboo's native shared AWS credentials feature, you could use our (commercial) Identity Federation for AWS (Bamboo) app where you can scope AWS credentials by user group, which has the following benefits and constraints:
Purushothaman_Anbazhagan May 21, 2019

Thanks @Steffen Opel _Utoolity_ 

I did vote for that JIRA ticket. Meanwhile I saw a plugin from Utoolity to inject temporary AWS credentials.

Will it help for code deployment?


Like Steffen Opel _Utoolity_ likes this
Steffen Opel _Utoolity_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
May 21, 2019

Hi @Purushothaman_Anbazhagan

I've updated my answer with a potential workaround based on our Identity Federation for AWS (Bamboo) app, which you can also 'just' use standalone to manage and use AWS credentials - conceptually it is a 'shared' app though and bundled for free with our other AWS integrations (works automatically), like the one you linked:

Depending on your scenario, Tasks for AWS (Bamboo) should indeed be able to help with code deployments, insofar its main feature set allows to provision and operate Amazon Web Services resources from Bamboo build and deployment projects. You can always try it for free and see whether it matches your requirements.

Cheers,
Steffen

Like # people like this
Purushothaman Anbazhagan May 22, 2019

Thanks @Steffen Opel _Utoolity_ 

Let me check this out!

Cheers,
Purushothaman


Shao Cai July 1, 2019

Hi All,  @Steffen Opel _Utoolity_ @Purushothaman Anbazhagan 

Thanks for the info. My question is also related to Identity Federation for AWS and how to use temporary AWS credentials in Tasks for AWS(Bamboo). 

We want to use Bamboo running on-premise which does the build and then, via, SAML/Active Directory to obtain temporary credentials, then assume AWS provisioned cd-deploy role to fulfill the deployment. 

We just installed Free Trial of Tasks for AWS (Bamboo) which includes Identity Federation for AWS, but I am not seeing any related section with hints to connect to SAML iDP to get the temp credentials. 

Any recommendations? 

Thanks

Shao

Steffen Opel _Utoolity_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
July 2, 2019

Hi @Shao Cai,

Welcome to the Atlassian Community!

I see that you have meanwhile asked this as a dedicated question About SAML 2.0-based Federation and Bamboo's solution for AWS deployment (very helpful, thanks!), so I'll provide an answer there later today.

Cheers,
Steffen

Shao Cai July 2, 2019

Thanks Steffen, we want to explore more CI/CD tools except Jenkins, Bamboo is the one we are looking at as we are already using other Atlassian tool suites. If you want more info, I will be happy to discuss. Thanks 

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events