From e011e7ed1045b30804601436be9fdecb7e8a7a89 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ji=C5=99=C3=AD=20Ol=C3=A1h?= <jiri.olah@cookielab.io>
Date: Fri, 12 Jul 2024 13:33:42 +0200
Subject: [PATCH] feat(assume-role): Provide script for
 AssumeRoleWithWebIdentity

---
 Dockerfile             |  1 +
 README.md              |  5 +++++
 scripts/assume-role.sh | 14 ++++++++++++++
 3 files changed, 20 insertions(+)
 create mode 100755 scripts/assume-role.sh

diff --git a/Dockerfile b/Dockerfile
index 50d7bd3..7fe3149 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -23,6 +23,7 @@ ARG AWS_CLI_VERSION
 COPY build-scripts/download-aws-cli.sh /tmp/download-aws-cli.sh
 RUN /tmp/download-aws-cli.sh
 
+COPY scripts/assume-role.sh /usr/local/bin/assume-role
 COPY scripts/deploy-s3-cf.sh /usr/local/bin/deploy-s3-cf
 
 FROM cookielab/container-image-tools:1.4.0-aws AS container-image-tools
diff --git a/README.md b/README.md
index c3ccc57..b89036a 100644
--- a/README.md
+++ b/README.md
@@ -8,3 +8,8 @@
 ## Scripts
 
 - `deploy-s3-cf` - for deploying static site to S3 and CloudFront
+- `assume-role` - Script for AssumeRoleWithWebIdentity
+    - Requirements:
+        - `$AWS_ROLE_ARN` = ENV variable for Role ARN
+        - `$AWS_ROLE_SESSION_NAME` = ENV variable for session name
+        - `$OIDC_TOKEN` = ENV variable for providing OIDC token
diff --git a/scripts/assume-role.sh b/scripts/assume-role.sh
new file mode 100755
index 0000000..f85dc06
--- /dev/null
+++ b/scripts/assume-role.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+export AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_SESSION_EXPIRATION
+
+read -r AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_SESSION_EXPIRATION < <(
+    aws sts assume-role-with-web-identity \
+        --role-arn "${AWS_ROLE_ARN}" \
+        --role-session-name "${AWS_ROLE_SESSION_NAME}" \
+        --web-identity-token "${OIDC_TOKEN}" \
+        --duration-seconds 900 \
+        --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken,Expiration]' \
+        --output text
+)
+