Setup Jenkins to assume a role in another AWS account

8 thoughts on “Setup Jenkins to assume a role in another AWS account

  1. Thanks for a great writeup! One little thing..
    On method two where ASSUME_ROLE_ENVIRONMENT is set, the script is setting AWS_SECURITY_TOKEN which was phased out in 2014 in favor for AWS_SESSION_TOKEN. Though the AWS CLI still seems to support both, tools like Terragrunt (which uses the AWS GO Auth SDK) are rapidly dropping support and only evaluating AWS_SESSION_TOKEN.

    1. Hi Jay. Thanks for the correction. The article has now been updated to use AWS_SESSION_TOKEN instead of AWS_SECURITY_TOKEN.

  2. Hi, sorry to be a annoying bee but I am confused how you tell Jenkins to use the specific role. I have Jenkins already setup and we are using a IAM user to access another account from Jenkins but those creds are stored as secret text in Jenkins credentials. We want to change the user to a Role
    I have Jenkins DEV role (with sts:AssumeRole policy) in account with Jenkins running and Jenkins Stage in the other AWS account. At the moment we are running the free style project with shell and specific creds from the IAM user added to Jenkins credential store.
    I cannot find anywhere in your article how to tell Jenkins to use the Jenkins DEV role for this project (as everyone we have multiple credentials stored in Jenkins and need to use the specific Jenkins Dev role to run this project). Are you adding the Jenkins Dev role to Jenkins credential store and then using the secret text in Binding in the freestyle project?

    1. Hi Nan. Good question. How are you running Jenkins in AWS? Whatever way you’re running it there is a way to assign it a role.

      • in the ECS world you assign a role to an ECS task definition which gets used when the task starts
      • in the EC2 world you assign an instance profile which contains a role

      The point is that Jenkins will automatically use the role of the AWS compute service it’s running in. You don’t need to configure any AWS credentials in Jenkins as it will automatically pick up the permissions of the role it’s been assigned through AWS.

      I hope this makes sense. I’ve added some additional detail under Why would Jenkins need to assume a role in AWS?.

    1. Good question, and maybe something I didn’t make clear enough.

      Using the methods outlined in this article you’re allowing Jenkins itself to assume the role. It doesn’t give the granularity to control individual Jenkins users.

      Make sure to follow the steps under Updating the Jenkins role to allow Jenkins to assume the production role. i.e. give the Jenkins role the sts:AssumeRole permission on the role to be assumed in the production account

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top