Typed AWS environment variables for access keys & region
Problem to solve
People need to deploy to AWS, but entering the right environment variables can be confusing and error prone. By adding a new kind of typed extensible variable (https://gitlab.com/gitlab-org/gitlab-ce/issues/46806) we can make this much easier, and provide a better but still simple integration for teams doing deployments to AWS.
The AWS command line client supports a few environment variables: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html. We can make setting these via typed variables quite easy.
The typical use case for this will be to scope this to environments, so the right values are automatically set up for the automation to a given environment. The AWS variables should be predefined and cannot be edited.
User Story
As a user, I want to have the ability to select predefined AWS Variables in my project settings, so make the this configuration in a few steps and avoid making errors while choosing which variable I want to manage.
Target audience
- Delaney, Development Team Lead, https://design.gitlab.com/research/personas#persona-delaney
- Sasha, Software Developer, https://design.gitlab.com/research/personas#persona-sasha
- Devon, DevOps Engineer, https://design.gitlab.com/research/personas#persona-devon
Proposal
Acceptance criteria
On project /settings/ci_cd, under `variables:
- When a user types a text in the Key input field that matches the pattern of an AWS variable (ie "A", "AWS", "AWS_AC"), display a dropdown showing the matching variables.
- AWS variables
-
AWS_ACCESS_KEY_ID– Specifies an AWS access key associated with an IAM user or role. -
AWS_SECRET_ACCESS_KEY– Specifies the secret key associated with the access key. This is essentially the "password" for the access key. -
AWS_DEFAULT_REGION– Specifies the AWS Region to send the request to. This one may be optional.
-
- AWS variables
- If a user selects an option from the dropdown, populate the Key field with the selected value.
- If a user enters a text value not matching a variable pattern, remove those options from the dropdown.
- If a user enters a text value not matching any of the variables, hide the dropdown.
- Update documentation to include a link to AWS best practices.
Validation should be done only for:
- KEYID="AWS-key-ID" specifies the AWS access key ID. This value is a 20-character, alphanumeric string. A sample key ID value is AKIAIOSFODNN7EXAMPLE.
- SECRET="AWS-secret" specifies the AWS secret access key. This value is a 40-character string. A sample secret access value is wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.
| Scenario | Mock |
|---|---|
| User focuses on key input |  |
| User types "A" or text value matching one of the AWS vaiables patterns |  |
| User types text not mating an AWS variable pattern |  |
What does success look like, and how can we measure that?
We want to be able to understand how many people are deploying to AWS (and other clouds) - we should have a usage ping that shows how many people are using the AWS credential creation in this way as evidence of ~Release usage, though this should of course be anonymous.
Links / references
Out of scope
In the future, we could also consider:
-
AWS_DEFAULT_OUTPUT– Specifies the output format to use. -
AWS_DEFAULT_PROFILE– Specifies the name of the CLI profile with the credentials and options to use. This can be the name of a profile stored in a credentials or config file, or the value default to use the default profile. If you specify this environment variable, it overrides the behavior of using the profile named [default] in the configuration file. -
AWS_SESSION_TOKEN– Specifies the session token value that is required if you are using temporary security credentials. For more information, see the Output section of the assume-role command in the AWS CLI Command Reference. -
AWS_CA_BUNDLE– Specifies the path to a certificate bundle to use for HTTPS certificate validation. -
AWS_SHARED_CREDENTIALS_FILE– Specifies the location of the file that the AWS CLI uses to store access keys (the default is ~/.aws/credentials). -
AWS_CONFIG_FILE– Specifies the location of the file that the AWS CLI uses to store configuration profiles (the default is ~/.aws/config).- The AWS Config file should be a file type (we may need to support file path in the future - to be checked)