1

我想问一下是否有一种快捷方式来设置由aws sts assume-role一个詹金斯管道生成的全局环境变量。我的目标是让这些生成的值(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN)可重用于一个詹金斯管道上的 3 个阶段步骤。目前我在我的舞台上有这个设置,虽然我觉得它太乱了,我想知道你是否可以建议我一个更好的方法来设置全局变量。我当前的管道如下所示:

   pipeline {
   agent any
   stages {
          stage ('S3 CHECK') {
              steps {
                 sh '''
                 unset AWS_SESSION_TOKEN
                 unset AWS_SECRET_ACCESS_KEY
                 unset AWS_ACCESS_KEY_ID

                CREDENTIALS=`aws sts assume-role --role-arn arn:aws:iam::0123456789123:role/POGI --role-session-name RoleSession`

                export AWS_ACCESS_KEY_ID=`echo $CREDENTIALS | jq -r '.Credentials.AccessKeyId'`
                export AWS_SECRET_ACCESS_KEY=`echo $CREDENTIALS | jq -r '.Credentials.SecretAccessKey'`
                export AWS_SESSION_TOKEN=`echo $CREDENTIALS | jq -r '.Credentials.SessionToken'`
                aws s3 ls
                '''
              }
           }
           stage ('CHECK AVAILABLE BEANSTALK PLATFORMS') {
              steps {
                 sh '''
                 unset AWS_SESSION_TOKEN
                 unset AWS_SECRET_ACCESS_KEY
                 unset AWS_ACCESS_KEY_ID

                        CREDENTIALS=`aws sts assume-role --role-arn arn:aws:iam::0123456789123:role/POGI --role-session-name RoleSession`

                export AWS_ACCESS_KEY_ID=`echo $CREDENTIALS | jq -r '.Credentials.AccessKeyId'`
                export AWS_SECRET_ACCESS_KEY=`echo $CREDENTIALS | jq -r '.Credentials.SecretAccessKey'`
                export AWS_SESSION_TOKEN=`echo $CREDENTIALS | jq -r '.Credentials.SessionToken'`
                aws elasticbeanstalk describe-environment-resources --environment-name pogi
                aws elasticbeanstalk list-platform-versions 
                '''
              }
           }
           stage ('BEANSTALK CHECK') {
              steps {
                 sh '''
                 unset AWS_SESSION_TOKEN
                 unset AWS_SECRET_ACCESS_KEY
                 unset AWS_ACCESS_KEY_ID

                        CREDENTIALS=`aws sts assume-role --role-arn arn:aws:iam::0123456789123:role/POGI --role-session-name RoleSession`

                export AWS_ACCESS_KEY_ID=`echo $CREDENTIALS | jq -r '.Credentials.AccessKeyId'`
                export AWS_SECRET_ACCESS_KEY=`echo $CREDENTIALS | jq -r '.Credentials.SecretAccessKey'`
                export AWS_SESSION_TOKEN=`echo $CREDENTIALS | jq -r '.Credentials.SessionToken'`
                aws elasticbeanstalk describe-environment-resources --environment-name pogi
                '''
              }
           }
    }

}

我真的很想在每个阶段放置这个以使格式更干净

                 unset AWS_SESSION_TOKEN
                 unset AWS_SECRET_ACCESS_KEY
                 unset AWS_ACCESS_KEY_ID

                        CREDENTIALS=`aws sts assume-role --role-arn arn:aws:iam::0123456789123:role/POGI --role-session-name RoleSession`

                export AWS_ACCESS_KEY_ID=`echo $CREDENTIALS | jq -r '.Credentials.AccessKeyId'`
                export AWS_SECRET_ACCESS_KEY=`echo $CREDENTIALS | jq -r '.Credentials.SecretAccessKey'`
                export AWS_SESSION_TOKEN=`echo $CREDENTIALS | jq -r '.Credentials.SessionToken'`
                aws elasticbeanstalk describe-environment-resources --environment-name pogi
4

1 回答 1

0

您可以将其提取到 bash 文件中,然后source <bash-file>.sh在每个阶段中使用。

例如,您可以调用该文件init.sh并具有以下内容:

#!/usr/bin/env bash

unset AWS_SESSION_TOKEN
unset AWS_SESSION_TOKEN
unset AWS_SECRET_ACCESS_KEY
unset AWS_ACCESS_KEY_ID

CREDENTIALS=`aws sts assume-role --role-arn arn:aws:iam::0123456789123:role/POGI --role-session-name RoleSession`

export AWS_ACCESS_KEY_ID=`echo $CREDENTIALS | jq -r '.Credentials.AccessKeyId'`
export AWS_SECRET_ACCESS_KEY=`echo $CREDENTIALS | jq -r '.Credentials.SecretAccessKey'`
export AWS_SESSION_TOKEN=`echo $CREDENTIALS | jq -r '.Credentials.SessionToken'`

例如,这样CHECK AVAILABLE BEANSTALK PLATFORMS舞台将变为以下内容:

source init.sh

aws elasticbeanstalk describe-environment-resources --environment-name pogi
aws elasticbeanstalk list-platform-versions

如果不同阶段有一些变量,您可以使用类似source init.sh var1 var2and var1would be $1ininit.shvar2would be 之类的东西$2

顺便说一句,您可以摆脱jqdep 而只使用它awktext这适用于使用 AWS格式而不是 JSON的 MFA(但相同的方法可用于承担角色) 。

# output format "CREDENTIALS <spaces> <access-key-id> <expiry> <secret-access-key> <session-token>"
CREDENTIALS=`aws sts get-session-token --output text \
  --serial-number <mfa-arn> \
  --token-code <otp> \
  --duration-seconds 43200`

export AWS_ACCESS_KEY_ID=$(echo $CREDENTIALS | awk '{print $2}')
export AWS_SECRET_ACCESS_KEY=$(echo $CREDENTIALS | awk '{print $4}')
export AWS_SESSION_TOKEN=$(echo $CREDENTIALS | awk '{print $5}')
于 2019-06-01T02:17:28.907 回答