CollabOps
CI/CDTemplatesSystem Templates

AWS

AWS credentials, ECR Docker authentication, and EKS cluster setup

AWS templates follow a chain pattern: authenticate with aws-auth first, then use aws-ecr-auth or aws-eks-setup in subsequent steps.

collabops/aws-auth@v1

On-Premise: ❌ — requires AWS connectivity

Configures AWS credentials. Subsequent steps share authentication via AWS_SHARED_CREDENTIALS_FILE.

InputRequiredDefaultDescription
access-key-idYES-AWS Access Key ID. $\{\{ secrets.AWS_ACCESS_KEY_ID \}\} recommended
secret-access-keyYES-AWS Secret Access Key. $\{\{ secrets.AWS_SECRET_ACCESS_KEY \}\} recommended
regionYES-AWS region (e.g., ap-northeast-2)
role-arnNO""IAM Role ARN to assume (for cross-account access)
session-nameNO"collabops-pipeline"STS Assume Role session name
config-pathNO"/workspace/source/.aws"AWS config storage path

Examples

Basic — direct access keys

jobs:
  deploy:
    steps:
      - name: checkout
        uses: "collabops/checkout@v2"
        with:
          repo-url: "https://<collabops-host>/<workspace>/<repository>.git"
      # Downstream steps inherit credentials via AWS_SHARED_CREDENTIALS_FILE.
      - name: aws-auth
        uses: "collabops/aws-auth@v1"
        with:
          access-key-id: ${ secrets.AWS_ACCESS_KEY_ID }
          secret-access-key: ${ secrets.AWS_SECRET_ACCESS_KEY }
          region: ap-northeast-2
      - name: sanity-check
        run: aws sts get-caller-identity
        image: amazon/aws-cli:2.17.0

AssumeRole — least privilege + cross-account

jobs:
  deploy:
    steps:
      - name: aws-auth-assumed-role
        uses: "collabops/aws-auth@v1"
        with:
          access-key-id: ${{ secrets.CI_BOOTSTRAP_AWS_AKID }}
          secret-access-key: ${{ secrets.CI_BOOTSTRAP_AWS_SECRET }}
          region: ap-northeast-2
          # Bootstrap keys only grant sts:AssumeRole; the real permissions live on role-arn.
          role-arn: arn:aws:iam::123456789012:role/ci-deploy
          # session-name shows up in CloudTrail — use the commit SHA for traceability.
          session-name: "collabops-${{ collabops.sha }}"

Key points — Always run the auth step first, in the same Job (credentials are not shared across Jobs). Recommended: keep bootstrap keys limited to sts:AssumeRole and delegate actual permissions through role-arn. region becomes the default for downstream commands — pass --region explicitly for multi-region work.

collabops/aws-ecr-auth@v1

On-Premise: ❌ — requires AWS connectivity

Configures AWS ECR Docker authentication. Use after aws-auth.

InputRequiredDefaultDescription
regionYES-AWS region (e.g., ap-northeast-2)
registry-idNO""ECR registry ID (AWS account ID). Defaults to the current account if not specified
config-pathNO"/workspace/source/.aws"AWS config path

Examples

auth → ecr auth → docker push pipeline

jobs:
  publish:
    services:
      - docker
    steps:
      - name: aws-auth
        uses: "collabops/aws-auth@v1"
        with:
          access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          region: ap-northeast-2
      # Authenticates every ECR repository in the same account.
      - name: ecr-auth
        uses: "collabops/aws-ecr-auth@v1"
        with:
          region: ap-northeast-2
      - name: build-push-ecr
        uses: "collabops/docker-build-push@v1"
        with:
          tags: "123456789012.dkr.ecr.ap-northeast-2.amazonaws.com/api:${{ collabops.sha }}"

Cross-account ECR (different registry-id)

jobs:
  publish:
    services:
      - docker
    steps:
      - name: aws-auth
        uses: "collabops/aws-auth@v1"
        with:
          access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          region: ap-northeast-2
      # Set registry-id explicitly when the registry is in a different account.
      - name: ecr-auth-cross-account
        uses: "collabops/aws-ecr-auth@v1"
        with:
          region: ap-northeast-2
          registry-id: "999988887777"
      - name: build-push
        uses: "collabops/docker-build-push@v1"
        with:
          tags: "999988887777.dkr.ecr.ap-northeast-2.amazonaws.com/shared/api:${{ collabops.sha }}"

Key pointsaws-auth must come first. ECR tokens last 12 hours, so they are only valid within the same Job. The repository must exist beforehand — this template never auto-creates one. Cross-account pushes require both registry-id and the matching repository policy on the target account.

collabops/aws-eks-setup@v1

On-Premise: ❌ — requires AWS connectivity

Configures EKS cluster authentication and kubectl context. Use after aws-auth.

InputRequiredDefaultDescription
regionYES-AWS region (e.g., ap-northeast-2)
cluster-nameYES-EKS cluster name
role-arnNO""IAM Role ARN for kubectl
config-pathNO"/workspace/source/.aws"AWS config path

Examples

EKS auth + kubectl apply

jobs:
  deploy:
    steps:
      - name: checkout
        uses: "collabops/checkout@v2"
        with:
          repo-url: "https://<collabops-host>/<workspace>/<repository>.git"
      - name: aws-auth
        uses: "collabops/aws-auth@v1"
        with:
          access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          region: ap-northeast-2
      # kubeconfig flows to later steps via the KUBECONFIG env var automatically.
      - name: eks-setup
        uses: "collabops/aws-eks-setup@v1"
        with:
          region: ap-northeast-2
          cluster-name: prod-cluster
      - name: apply-manifests
        run: |
          kubectl apply -f k8s/namespace.yaml
          kubectl apply -f k8s/deployment.yaml
          kubectl -n prod rollout status deployment/api --timeout=5m
        image: bitnami/kubectl:1.30

Assume a different IAM Role for kubectl calls

jobs:
  deploy:
    steps:
      - name: aws-auth
        uses: "collabops/aws-auth@v1"
        with:
          access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          region: ap-northeast-2
      - name: eks-setup-via-role
        uses: "collabops/aws-eks-setup@v1"
        with:
          region: ap-northeast-2
          cluster-name: prod-cluster
          # `aws eks get-token --role-arn` delegates cluster access to a separate role.
          # The role must already be mapped in the EKS aws-auth ConfigMap.
          role-arn: arn:aws:iam::123456789012:role/eks-deployer
      - name: rollout
        run: kubectl -n prod set image deployment/api api=$IMAGE
        env:
          IMAGE: "123456789012.dkr.ecr.ap-northeast-2.amazonaws.com/api:${{ collabops.sha }}"
        image: bitnami/kubectl:1.30

Key points — kubeconfig propagates to later steps automatically; no manual export needed. Use role-arn to drive kubectl with a different identity — that role must be mapped in the EKS aws-auth ConfigMap. Always wrap production rollouts with kubectl rollout status to confirm completion.

GCP

Google Cloud Platform authentication, Artifact Registry, and GKE cluster setup

Code Quality

Code linting, static security analysis, and secret detection

Table of Contents

collabops/aws-auth@v1ExamplesBasic — direct access keysAssumeRole — least privilege + cross-accountcollabops/aws-ecr-auth@v1Examplesauth → ecr auth → docker push pipelineCross-account ECR (different registry-id)collabops/aws-eks-setup@v1ExamplesEKS auth + kubectl applyAssume a different IAM Role for kubectl calls