So, OIDC token exchanges are all the rage. They let you do away with long term secrets, and use your local identity provider to attest who you are, and assume a role in a different environment.
Here we're doing it with AWS's STS api using just curl.
The output for the sts api is... XML.
For some reason, yq, the yaml tool, also handles XML,
so we use that to extract the interesting parts.
1AWS_REGION= # region to operate in
2ACCOUNT_ID= # account ID, not strictly necessary, but probably needed in ROLE_ARN
3NAME= # choose a good name for this session
4ROLE_ARN= # role to assume
5OIDC_TOKEN= # token from third party allows to assume the role by trust policy
6
7curl \
8 -o assume_id.xml \
9 -X POST \
10 --url-query "Action=AssumeRoleWithWebIdentity" \
11 --url-query "DurationSeconds=3600" \
12 --url-query "RoleSessionName=${NAME}" \
13 --url-query "RoleArn=${ROLE_ARN}" \
14 --url-query "WebIdentityToken=${OIDC_TOKEN}" \
15 --url-query "Version=2011-06-15" \
16 "https://sts.${AWS_REGION}.amazonaws.com"
17
18aws_res_prefix='.AssumeRoleWithWebIdentityResponse.AssumeRoleWithWebIdentityResult.Credentials'
19export AWS_SESSION_TOKEN=$(yq e -p xml -o yaml "${aws_res_prefix}.SessionToken" assume_id.xml)
20export AWS_SECRET_ACCESS_KEY=$(yq e -p xml -o yaml "${aws_res_prefix}.SecretAccessKey" assume_id.xml)
21export AWS_ACCESS_KEY_ID=$(yq e -p xml -o yaml "${aws_res_prefix}.AccessKeyId" assume_id.xml)