Skip to content

Configure login to export AWS session token#1144

Open
liyu-ma wants to merge 10 commits intomainfrom
maliyu/aws-oidc-auth
Open

Configure login to export AWS session token#1144
liyu-ma wants to merge 10 commits intomainfrom
maliyu/aws-oidc-auth

Conversation

@liyu-ma
Copy link
Copy Markdown
Contributor

@liyu-ma liyu-ma commented Apr 22, 2026
edited
Loading

Context

login.yml supports two configuration of credential: service_connection and variable_group. OIDC token requires service connection and three parameters: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN

Change

  • Export and AWS_SESSION_TOKEN in Get login credentials step. Note that this step is not run at internal pipelines as they use variable_group credential type.
  • Pass the session token as env var to AWS Login step, and use it to configure aws cli aws_session_token
  • AWS_SESSION env var will default to literal '$(AWS_SESSION_TOKEN)' when the var is not set (indicating this is not OIDC auth). Need to clear this literal value because it is invalid and will fail pipeline
  • Remove unnecessary step name.

Copilot AI review requested due to automatic review settings April 22, 2026 13:27
Copilot AI reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the shared AWS login step template to support OIDC/STS-style credentials by propagating and configuring AWS_SESSION_TOKEN, while keeping compatibility with existing static key flows.

Changes:

  • Export AWS_SESSION_TOKEN as a secret pipeline variable when present.
  • Configure AWS CLI to use aws_session_token when provided.
  • Remove the unused step name.

Comment thread steps/cloud/aws/login.yml
Comment thread steps/cloud/aws/login.yml
@liyu-ma liyu-ma changed the title Configure and use AWS session token sup Configure login to use AWS session token Apr 22, 2026
@liyu-ma liyu-ma changed the title Configure login to use AWS session token Configure login to export AWS session token Apr 22, 2026
@liyu-ma liyu-ma force-pushed the maliyu/aws-oidc-auth branch from 0019c88 to bf5ba9b Compare April 22, 2026 13:41
@liyu-ma liyu-ma requested a review from Copilot April 22, 2026 13:41
Copilot AI reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

Comment thread steps/cloud/aws/login.yml Outdated
Comment thread steps/cloud/aws/login.yml Outdated
@liyu-ma liyu-ma requested a review from Copilot April 22, 2026 14:06
Copilot AI reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

Comment thread steps/cloud/aws/login.yml
@liyu-ma liyu-ma force-pushed the maliyu/aws-oidc-auth branch from 0e05551 to e641eab Compare April 23, 2026 02:15
liyu-ma added 10 commits April 23, 2026 23:18
@liyu-ma
Add AWS session token support for OIDC authentication
5767822 
Export and configure AWS_SESSION_TOKEN in login.yml to support
OIDC-based credentials which return temporary session tokens.
Conditional guards ensure backward compatibility with static keys.
Also remove step name to avoid duplicate name errors when login
is called multiple times in a pipeline.
@liyu-ma
Guard against stale and unresolved session tokens
3ad21bc 
Add validation to treat unresolved $(AWS_SESSION_TOKEN) literals as
empty, and unset aws_session_token when not applicable to prevent
stale tokens from persisting on self-hosted agents.
@liyu-ma
Improve readability of session token handling in AWS login
9dc3a74 
Remove unnecessary literal-string check in AWSShellScript step where
env vars are always real. Add explanatory comment for the literal
check in the bash step, and a log line when unsetting stale tokens.
@liyu-ma
Fix aws configure unset not available on older AWS CLI
e0730fc 
Replace 'aws configure unset' with 'aws configure set ... ""' for
compatibility with AWS CLI v1 which lacks the unset subcommand.
@liyu-ma
Add debug logging for session token handling in AWS login
965e1cf 
Log when ADO passes unresolved literal, when a real session token
is found (with first 4 chars), and when no token is present.
@liyu-ma
Fix empty session token causing Unauthorized errors
1c91279 
Remove the else branch that set aws_session_token to empty string,
which caused AWS CLI to send an empty token in API calls. Now simply
skip session token configuration when not available.
@liyu-ma
Add logging for debugging
9ef5ab8
@liyu-ma
revert the unresolved literal check
6f460b2
@liyu-ma
Add back literal check for unresolved $(AWS_SESSION_TOKEN)
771408e 
When service_connection is used without OIDC, step 1 does not set
AWS_SESSION_TOKEN. ADO then passes the literal string '$(AWS_SESSION_TOKEN)'
to step 2's env block, which would incorrectly configure aws_session_token.
@liyu-ma
Fix literal check: prevent ADO from expanding $(AWS_SESSION_TOKEN) in…
18ecf79 
… script

ADO performs macro expansion on $(...) patterns in script bodies,
even inside single quotes. Split the literal string construction
so ADO doesn't recognize the pattern.
@liyu-ma liyu-ma force-pushed the maliyu/aws-oidc-auth branch from c9c1e4b to 18ecf79 Compare April 23, 2026 13:18
@liyu-ma liyu-ma requested a review from Copilot April 23, 2026 13:29
Copilot AI reviewed Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

Comment thread steps/cloud/aws/login.yml
Comment thread steps/cloud/aws/login.yml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@alyssa1303 alyssa1303 Awaiting requested review from alyssa1303 alyssa1303 is a code owner

@anson627 anson627 Awaiting requested review from anson627 anson627 is a code owner

@sumanthreddy29 sumanthreddy29 Awaiting requested review from sumanthreddy29 sumanthreddy29 is a code owner

@xinWeiWei24 xinWeiWei24 Awaiting requested review from xinWeiWei24 xinWeiWei24 is a code owner

@vittoriasalim vittoriasalim Awaiting requested review from vittoriasalim vittoriasalim is a code owner

@wonderyl wonderyl Awaiting requested review from wonderyl wonderyl is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@liyu-ma