d58090422a
Add support for the upload-logs-s3 role to obtain a short-term token from the AWS sts service using a federated OIDC provider (which may be Zuul itself). Change-Id: Ic69fb1f61f53b3b8dd08f776b96e9d5db57dbf5a
3.0 KiB
Upload logs to S3
Before using this role, create at least one bucket and set up appropriate access controls or lifecycle events. This role will not automatically create buckets.
This role requires the boto3 Python package to be
installed in the Ansible environment on the Zuul executor.
Role Variables
This role will not create buckets which do not already exist. If partitioning is not enabled, this is the name of the bucket which will be used. If partitioning is enabled, then this will be used as the prefix for the bucket name which will be separated from the partition name by an underscore. For example, "logs_42" would be the bucket name for partition 42.
Note that you will want to set this to a value that uniquely identifies your Zuul installation.
The endpoint to use when uploading logs to an s3 compatible service. By default this will be automatically constructed by boto but should be set when working with non-aws hosted s3 service.
Conventional authentication
To authenticate with a conventional AWS access key and secret, supply the following two variables:
AWS access key to use.
AWS secret key for the AWS access key.
OIDC federated authentication
It is also possible to authenticate usinc OIDC, including using Zuul as an ID provider with Zuul's OIDC token secrets feature. Use the following variables to do so:
The ARN of the AWS role to assume when authenticating.
The token issued by the federated IDP. If the IDP is Zuul, this should be the token secret.