Support typed AWS environment variables
Problem to solve
People need to deploy to AWS. We should make that easier using #46806, which could make it clear
- Delaney, Development Team Lead, https://design.gitlab.com/research/personas#persona-delaney
- Sasha, Software Developer, https://design.gitlab.com/research/personas#persona-sasha
- Devon, DevOps Engineer, https://design.gitlab.com/research/personas#persona-devon
We should have some kind of official AWS integration. Even if it's as simple as a service integration that asks for your credentials and passes those credentials to CI/CD via variables, it gives a place for people to look for the integration so they can know how to proceed. They can, of course, deploy to AWS today, but this helps people know the right way to do so. In addition, the existence of the integration allows us to report (anonymous) usage.
The AWS commandline client supports a few environment variables: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html. We can make setting these in an integration interface quite easy, similar to the way the (deprecated) k8s integration works.
The keys to start with are:
- AWS_ACCESS_KEY_ID – Specifies an AWS access key associated with an IAM user or role.
- AWS_SECRET_ACCESS_KEY – Specifies the secret key associated with the access key. This is essentially the "password" for the access key.
- AWS_DEFAULT_REGION – Specifies the AWS Region to send the request to. This one may be optional.
We can do some kind of validation of inputs here to avoid situations where someone has pasted a value in the wrong format, as described in comment #57780 (comment 144847555).
In the future, we could also consider:
- AWS_DEFAULT_OUTPUT – Specifies the output format to use.
- AWS_DEFAULT_PROFILE – Specifies the name of the CLI profile with the credentials and options to use. This can be the name of a profile stored in a credentials or config file, or the value default to use the default profile. If you specify this environment variable, it overrides the behavior of using the profile named [default] in the configuration file.
- AWS_SESSION_TOKEN – Specifies the session token value that is required if you are using temporary security credentials. For more information, see the Output section of the assume-role command in the AWS CLI Command Reference.
- AWS_CA_BUNDLE – Specifies the path to a certificate bundle to use for HTTPS certificate validation.
- AWS_SHARED_CREDENTIALS_FILE – Specifies the location of the file that the AWS CLI uses to store access keys (the default is ~/.aws/credentials).
- AWS_CONFIG_FILE – Specifies the location of the file that the AWS CLI uses to store configuration profiles (the default is ~/.aws/config).
What does success look like, and how can we measure that?
In addition, we want to be able to understand how many people are deploying to AWS (and other clouds) - we should have a usage ping that shows how many people are using the AWS credential creation in this way as evidence of Release usage.