8 November 2019

Delegate permissions with AWS roles

Delegate permissions with AWS roles

Buddy is the official partner of Amazon Web Services with native integrations to many AWS services. This means you can use Buddy to automate deployments to EC2 instances, S3 buckets, ECS, or Elastic Beanstalk.

AWS services in Buddy
AWS services in Buddy

Until now, the integration was performed with access and secret keys. With today’s release, it is possible to delegate permissions for Buddy with roles in your AWS account. Once you specify the scope of permissions and assign them to Buddy, the service will assume and use it to authenticate in your AWS services. This type of integration is much safer when it comes to delegating permissions to external providers. First of all, you can be sure that only the user for whom the role was created will be able to use it. Secondly, access and secret keys used in the CI/CD process are temporary (usually revoked after 60 minutes).

How it works

  1. Create and delegate the role for Buddy’s AWS account (056014222594).

    NOTE: The whole process is described in detail in our documentation.

  2. Provide the role ID when adding a new AWS integration:
    Trust relationship form
    Trust relationship form
  3. Buddy will generate temporary access and secret tokens for every execution with AWS actions.

There is more

The role assumption mechanism can be multiplied several times. For example, you can forward the permissions that your client delegated to you to Buddy simply by passing on your account permissions to it. This way you can use Buddy to deploy to AWS accounts of your clients without the need of asking them for authentication credentials and/or inviting them to your Buddy workspace.

Role assumption is also available for regular integrations with access and secret keys – we have added dedicated inputs for Role ARN and Role external ID at the bottom of the form.

Role assumption with access keys
Role assumption with access keys