.gitlab-ci: YAML anchors for OIDC

613e0c14 · Harley Watson · 2ff12b13 · 613e0c14
Commit 613e0c14 authored May 16, 2022 by Harley Watson
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -8,6 +8,19 @@ variables:
  BUCKET_NAME: as211244.net
  ROLE_ARN: arn:aws:iam::127091214013:role/gitlab-s3upload-as211244.net

+.aws-sts-assume-role: &aws-sts-assume-role
+  - >
+    STS=($(aws sts assume-role-with-web-identity
+    --role-arn ${ROLE_ARN}
+    --role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"
+    --web-identity-token $CI_JOB_JWT_V2
+    --duration-seconds 3600
+    --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]'
+    --output text))
+  - export AWS_ACCESS_KEY_ID="${STS[0]}"
+  - export AWS_SECRET_ACCESS_KEY="${STS[1]}"
+  - export AWS_SESSION_TOKEN="${STS[2]}"
+
 workflow:
  rules:
    - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH
@@ -16,18 +29,7 @@ deploy-s3:
  image: "registry.gitlab.com/gitlab-org/cloud-deploy/aws-base:latest"
  stage: deploy
  script:
-    - >
-      STS=($(aws sts assume-role-with-web-identity
-      --role-arn ${ROLE_ARN}
-      --role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"
-      --web-identity-token $CI_JOB_JWT_V2
-      --duration-seconds 3600
-      --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]'
-      --output text))
-    - export AWS_ACCESS_KEY_ID="${STS[0]}"
-    - export AWS_SECRET_ACCESS_KEY="${STS[1]}"
-    - export AWS_SESSION_TOKEN="${STS[2]}"
-
+    - *aws-sts-assume-role
    - aws s3 cp site s3://${BUCKET_NAME} --recursive
  environment:
    name: main