stg use role_arn too

akirasosa · akirasosa · commit f0122042b54d · 2016-11-02T12:05:59.000+07:00
diff --git a/.envrc.example b/.envrc.example
@@ -1,12 +1,6 @@
 #!/usr/bin/env bash
 
-export AWS_ACCESS_KEY_ID=
-export AWS_SECRET_ACCESS_KEY=
-export AWS_DEFAULT_REGION=
-export AWS_REGION=
-
-export PROD_ROLE_ARN=
+export ROLE_ARN_stg=
+export ROLE_ARN_prod=
 
 export SLACK_WEBHOOK_URL=
-
-unset AWS_SESSION_TOKEN
diff --git a/.travis.yml b/.travis.yml
@@ -29,7 +29,7 @@ before_deploy:
   - npm prune --production
 deploy:
   - provider: script
-    script: ./scripts/deploy.sh ${ENV}
+    script: ./scripts/deploy.sh
     skip_cleanup: true
     on:
       branch: deploy/*
diff --git a/scripts/deploy.sh b/scripts/deploy.sh
@@ -2,10 +2,8 @@
 
 set -u
 
-ENV=$1
-
-if [ "${ENV}" = "prod" ]; then
-  source scripts/switch-production-role.sh
+if [ ! -v AWS_SESSION_TOKEN ]; then
+  source ./scripts/switch-role.sh
 fi
 
 # account number to mask
diff --git a/scripts/switch-production-role.sh b/scripts/switch-production-role.sh
diff --git a/scripts/switch-role.sh b/scripts/switch-role.sh
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+# Parse variable such as ROLE_ARN_stg, ROLE_ARN_prod and etc.
+ROLE_ARN=$(eval echo '$ROLE_ARN_'${ENV})
+
+CREDENTIALS=$(aws sts assume-role --role-arn ${ROLE_ARN} --role-session-name travisci)
+
+export AWS_ACCESS_KEY_ID=$(echo ${CREDENTIALS} | jq --raw-output .Credentials.AccessKeyId)
+export AWS_SECRET_ACCESS_KEY=$(echo ${CREDENTIALS} | jq --raw-output .Credentials.SecretAccessKey)
+export AWS_SESSION_TOKEN=$(echo ${CREDENTIALS} | jq --raw-output .Credentials.SessionToken)
