You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: PROVIDERS.md
+20-2Lines changed: 20 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,9 +9,9 @@ Amazon Web Services can be integrated by using the following configuration block
9
9
provider: aws
10
10
# id is the name defined by user for filtering (optional)
11
11
id: staging
12
-
# aws_access_key is the access key for AWS account
12
+
# aws_access_key is the access key for AWS account (optional - see "Keyless Authentication" below)
13
13
aws_access_key: $AWS_ACCESS_KEY
14
-
# aws_secret_key is the secret key for AWS account
14
+
# aws_secret_key is the secret key for AWS account (optional - see "Keyless Authentication" below)
15
15
aws_secret_key: $AWS_SECRET_KEY
16
16
# aws_session_token session token for temporary security credentials retrieved via STS (optional)
17
17
aws_session_token: $AWS_SESSION_TOKEN
@@ -31,6 +31,24 @@ Amazon Web Services can be integrated by using the following configuration block
31
31
32
32
`aws_access_key` and `aws_secret_key` can be generated in the IAM console. We recommend creating a new IAM user with `Read Only` permissions and providing the access token for the user.
`aws_access_key` and `aws_secret_key` are **optional**. When both are omitted from the config, the provider falls back to the AWS SDK default credential chain, so no secrets need to be injected into the config file. To use keyless mode, leave the keys out entirely (an `aws_access_key: $UNSET_ENV_VAR` whose environment variable is unset is treated as a literal value, not as keyless). This enables:
37
+
38
+
- **IRSA (IAM Roles for Service Accounts)** on EKS — credentials are picked up automatically from the `AWS_WEB_IDENTITY_TOKEN_FILE` and `AWS_ROLE_ARN` environment variables injected by the pod identity webhook.
39
+
- **EC2 / ECS instance profiles** — credentials are resolved from the instance/task metadata endpoint.
# no aws_access_key / aws_secret_key — credentials resolved by the SDK default chain
48
+
```
49
+
50
+
> Note: if you provide one of `aws_access_key` / `aws_secret_key`, you must provide both. `assume_role_arn`, `assume_role_name` and `org_discovery_role_arn` all work on top of keyless base credentials too.
0 commit comments