Getting started

Creating an Organization

Creating Audit and Log Archive AWS Accounts

Management

Creating an AWS Account

Initial Setup

Billing Alerts

Configuring AWS SSO (IAM Identity Center)

Generating As-Built-Documentation

Environments

Configuring AWS Client VPN

Configuring Private Bastion

Deleting an Environment

Compliance

Configuring a standard

Reference

Choosing Email Addresses for your AWS Accounts

Checklist end-of-deployment

Configuring SSO for Microsoft Azure

Configuring SSO for G-Suite

Deploying Applications

Notification History

Removing Citadel Access from AWS Accounts

What’s deployed in my account

Troubleshooting

Common Issues

Finding the Root Cause of a Failed Job

Creating new environment failed

Fixing Network Access is not connecting to RDS

SSO G-Suite - Deploy Lambda Error

Common issues

Service Roles

Introduction

You will need to configure a service role within a Citadel environment. These step-by-step instructions demonstrate how to use GitHub, GitLab, and BitBucket.

What is a Service Role?

A service role is an IAM Role that trusts a provider via OIDC.

The supported providers are: GitHub, GitLab, and BitBucket.

The service role is used to allow external providers to perform changes in your AWS infrastructure. Some common use cases are:

Deploying Applications
Deploying Infrastructure with tools like AWS CLI (CloudFormation), Terraform, etc.
Copying files to an S3 bucket for a static website

Creating a service role

Let's now configure the service role through which your AWS Account communicates with a vendor (GitHub, GitLab, BitBucket).

Sign in to Citadel and navigate to the Environment section
If you do not have an Environment created, click on Create an environment
Follow the instructions at
Environments
On the Environment page, on the left side, select the Service Roles menu
To create a new service role, click the New Service Role button
Fill out the fields as directed below:

Enter the Role Name that will be able to deploy AWS resources using the selected provider
Select the Provider of your CI supports OIDC or Custom for user-based authentication
Select Policy Sets to configure the role's permissions (see more below)
Enter the Organization Name (or team name when using Bitbucket)
Enter the Workspace UUID (only when using Bitbucket). To find this value, see below
Click Create

Finding the Workspace UUID (Bitbucket only)

To find your Workspace UUID:

Navigate to any repository in your Bitbucket team
Click Repository Settings
Click OpenID Connect
Copy the Workspace UUID as shown in the screenshot below

Policy Sets

Policy Sets are IAM policies fine-tuned for a specific purpose.

Currently, Citadel ships with 3 policy sets:

Administrator

Allows any action in the AWS accounts.

This policy set should be avoided as it breaks the principle of least-privilege.

When use is required, make sure that the provider using this role has proper security controls in place to avoid unauthorized actions.

Serverless

This role is intended for the deployment of serverless apps. It includes apps deployed with the frameworks:

ECS / ECR

This role is suited for pushing Docker images to ECR and deploying ECS services.

⚠️

These policies are built and tested regularly by the Citadel team. Due to changes to the frameworks and new AWS services, policies might need to be updated. Please contact support if you believe a policy set is missing permissions to perform necessary actions.

Custom Policies (coming soon)

Allows a user to add custom policies to the role.

Configure BitBucket Pipeline

Configure a BitBucket pipeline to build and deploy changes to your project. A basic configuration can do things like write scripts to create a cluster, configure and manage different resources.

pipelines:

pull-requests:
	'**': #this runs as default for any branch not elsewhere defined
		- step:
			script:
				- ...
			feature/citadel-*: #any branch with a “feature/citadel-” prefix
		- step:
			script:
				- ...
	
		branches: #these will run on every push of the branch
		staging:
			- step:
			script:
				- ...

Pipeline sample.

Credentials

You need to set up a credential configuration to allow any deployment in the AWS Account.

Create 2 variables to the repository.

Navigate to BitBucket > Repository variables

Go to your BitBucket Repository;
Select Repository setting on left menu;
Select Repository variables on the left menu;

Create 2 variables:

Variable 1:

Name: AWS_REGION

Value: Region of the environment

Variable 2:

Name: AWS_ROLE_ARN

Value: arn:aws:iam::<account_number>:role/<role_name>**

Role_name: Role name assigned to the service role.

Image shows the 2 variables created on BitBucket.

Enable the service role for pipeline steps:

Add the OIDC to the the pipeline workspace file in the steps section that you need to run:

Example:

oidc: true

As per the documentation here, you simply need to add the AWS_WEB_IDENTITY_TOKEN_FILE environment variable.

– export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token

– echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token

The example below shows a how the pipeline would look like.

Configure GitLab Pipeline

Configure a GitLab pipeline to build and deploy changes to your project. A basic configuration can do things like write scripts to create a cluster, configure and manage different resources.

Set up GitLab repository: The first step is to create (if it doesn’t exist) a GitLab repository that will host your project.
Create a blueprint: You can create a blueprint in GitLab by adding a file in the root directory of your repository with the .gitlab-ci.yml extension. This file will contain the definition of your pipeline, including the steps and actions that will be performed.
AWS credentials: In order to run your pipeline to AWS, you need to set up AWS credentials in GitLab.

Credentials

You can set up aws-actions/configure-aws-credentials@v1 to run the pipeline with an AWS Role with permission to deploy the resources you are running.


name: GitLab Pipeline

on:
  workflow_dispatch:
    inputs:

  push:
    

jobs:
  name: Get Workspaces
  runs-on: ubuntu-latest
  permissions:
    id-token: write
    contents: read

  steps:
    - name: configure aws credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
				role-to-assume: arn:aws:iam::000000000000:role/CIDeployGitLab
        role-session-name: github-deploy
        aws-region: ap-southeast-2 # set your region

Example (a). GitLab pipeline using configure-aws-credentials.

This can be done by creating a new environment variable in your GitLab repository with your AWS access key and secret access key.

name: GitLab Pipeline

on:
  workflow_dispatch:
    inputs:

  push:
    

jobs:
  name: Get Workspaces
  runs-on: ubuntu-latest
  permissions:
    id-token: write
    contents: read

  steps:
    - name: configure aws credentials
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: ${{ secrets.AWS_REGION }}

Example (b). GitLab pipeline using gitlab keys.

In this example, the AWS configure command sets the AWS credentials using the environment variables $AWS_ACCESS_KEY_ID and $AWS_SECRET_ACCESS_KEY.

For more information on how to set up a blueprint in GitLab and run pipelines to AWS, you can refer to the official GitLab documentation:

`.gitlab-ci.yml` keyword reference | GitLab

This document lists the configuration options for your GitLab .gitlab-ci.yml file. When you are editing your .gitlab-ci.yml file, you can validate it with the CI Lint tool. If you are editing content on this page, follow the instructions for documenting keywords. A GitLab CI/CD pipeline configuration includes: Some keywords are not defined in a job.

docs.gitlab.com

Configuring the AWS CLI

AWS requires that all incoming requests are cryptographically signed. The AWS CLI does this for you. The "signature" includes a date/time stamp. Therefore, you must ensure that your computer's date and time are set correctly. If you don't, and the date/time in the signature is too far off of the date/time recognized by the AWS service, AWS rejects the request.

docs.aws.amazon.com

run-instances - AWS CLI 1.27.59 Command Reference

Launches the specified number of instances using an AMI for which you have permissions. You can specify a number of options, or leave the default options. The following rules apply: [EC2-VPC] If you don't specify a subnet ID, we choose a default subnet from your default VPC for you.

docs.aws.amazon.com

Configure GitHub Pipeline

Configure a GitHub pipeline to build and deploy changes to your project. A basic configuration can do things like write scripts to create a cluster, configure and manage different resources.

Set up GitHub repository: The first step is to create (if it doesn’t exist) a GitHub repository that will host your project.
Create a blueprint: You can create a blueprint in GitHub by adding a file in the root directory of your repository with the .workflows/github/file-name.yml extension. This file will contain the definition of your pipeline, including the steps and actions that will be performed.
AWS credentials: In order to run your pipeline to AWS, you need to set up AWS credentials in GitHub.

Credentials

You can set up aws-actions/configure-aws-credentials@v1 to run the pipeline with an AWS Role with permission to deploy the resources you are running.


name: GitHub Pipeline

on:
  workflow_dispatch:
    inputs:

  push:
    

jobs:
  name: Get Workspaces
  runs-on: ubuntu-latest
  permissions:
    id-token: write
    contents: read

  steps:
    - name: configure aws credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
				role-to-assume: arn:aws:iam::000000000000:role/CIDeployGitHub
        role-session-name: github-deploy
        aws-region: ap-southeast-2 # set your region

Example (a). GitLab pipeline using configure-aws-credentials.

This can be done by creating a new environment variable in your GitHub repository with your AWS access key and secret access key.

name: GitHub Pipeline

on:
  workflow_dispatch:
    inputs:

  push:
    

jobs:
  name: Get Workspaces
  runs-on: ubuntu-latest
  permissions:
    id-token: write
    contents: read

  steps:
    - name: configure aws credentials
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: ${{ secrets.AWS_REGION }}

Example (b). GitLab pipeline using gitlab keys.

In this example, the AWS configure command sets the AWS credentials using the environment variables $AWS_ACCESS_KEY_ID and $AWS_SECRET_ACCESS_KEY.

Redeploy a Service Role

Go to Citadel.Run;
Select Environments on the Menu;
Select the Environment you want to redeploy;
Select Service Roles on the left menu;
Find the service role you want to redeploy and click on the three dots on the right side;
Click Redeploy.

For more information on how to set up a blueprint in GitLab and run pipelines to AWS, you can refer to the official GitHub documentation:

AWS for GitHub Actions

You can't perform that action at this time. You signed in with another tab or window. You signed out in another tab or window. Reload to refresh your session. Reload to refresh your session.

github.com

Configuring the AWS CLI

docs.aws.amazon.com

run-instances - AWS CLI 1.27.59 Command Reference

docs.aws.amazon.com

← Previous

Environments

Domains

On this page

Redeploy service role