In our AWS environment we avoid using static AWS credentials (i.e. AWS Access Key ID and AWS Secret Access Key) - instead we use ephemeral credentials that are supplied using the Amazon IAM/STS system.

i.e. The use of static AWS credentials is not possible in our environment - we need to dynamically acquire credentials on the master / slave to. These credentials are then used to switch roles per our IAM configuration.

Once the credentials are acquired, we use those credentials (Access Key ID, Secret Access Key, Session Token) to perform AWS actions as normal.

An example

As a brief example (from a pipeline script)

  env.AWS_ACCESS_KEY_ID = ""
  env.AWS_SECRET_ACCESS_KEY = ""
  env.AWS_SESSION_TOKEN = ""

  roleArn = "arn:aws:iam::<13 character AWS ID>:role/my-custom-role"
  externalParam = "--external-id ABCDEFG" // security parameter - optional

  json = sh(returnStdout: true, 
            script: "aws sts assume-role --duration-seconds 3600 --role-arn ${roleARN} --role-session-name rsn ${externalParam}"

  def jsonSlurper = new groovy.json.JsonSlurperClassic()
  def object = jsonSlurper.parseText(json)

  return object.Credentials

Important points

• external-id support required
• credentials must be acquired on the correct instance (you can't always acquire on master as the security configuration is locked down per instance type)
• credentials expire after an hour (maximum)
• Access Key ID can be logged, but the other parameters should not be