9

Update:

Not sure when this happened, but this works as is described now.

As well as an option in the Pipeline build action to set the secret directly.

secrets-manager

Original Question:

I have an environment variable set for the secret-id set inside the build phase of a AWS CodePipeline. eg. $SECRET_ID.

I want to use it in the CodeBuild buildspec.yml to get a set of secrets from the Secrets Manager based on my environment. Is it possible to self-reference other variables in a buildspec file?

This is how I would have anticipated it would work, but it doesn't.

version: 0.2

env:
  secrets-manager:
    MY_SECRET: ${SECRET_ID}

phases:
  build:
    commands:
      - echo $MY_SECRET

I receive the following error in the build logs.

Secrets Manager Error Message: ValidationException: Invalid name. Must be a valid name containing alphanumeric characters, or any of the following: -/_+=.@!

hyperdrive
  • 1,786
  • 5
  • 19
  • 33
  • it should be possible, since MY_SECRET is an environment variable after all. Does running the build stage gets the expected secret into the container ? – sash Jan 22 '20 at 20:09
  • @sash Oops, should have added the build log error. Thanks updated. – hyperdrive Jan 22 '20 at 20:16
  • 1
    from the error it looks like the ${SECRET_ID} is not valid. Could you do an echo @hyperdrive on your ${SECRET_ID} and check that it adheres to the format `secret-id:json-key:version-stage:version-id` as in the documentation https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html#secrets-manager-build-spec. – sash Jan 22 '20 at 20:29
  • 1
    Yah, $SECRET_ID or ${SECRET_ID} is the correct value if I remove the secrets-manager. And I do get the secret value if I hard code the id in. I am getting the feeling codebuild implementation of secrets-manager just doesn't support doing this. – hyperdrive Jan 22 '20 at 20:36
  • 1
    ${SECRET_ID} should be in this format `secret-id:json-key`, lets say if you have `demo` secret manager with `key` secret with `content` then you need to use `demo:key` and it will return the JSON format. refer https://docs.aws.amazon.com/codebuild/latest/userguide/build-spec-ref.html#secrets-manager-build-spec – Mahattam Jan 23 '20 at 01:44
  • @Mahattam Yeah, I know. Looks like it's trying to use the actual text `$SECRET_ID`. My hope was it would or a way to interpolate the value of the env variable. I wanted to swap out the secret-id/json-key based on the project I am building in the pipeline. Without having to create separate build projects per stage or writing commands to parse the secret, because they conveniently do it already. – hyperdrive Jan 23 '20 at 18:28

3 Answers3

2

You simply need to reference it directly. as : where -

(Required) The local environment variable name. Use this name to access the variable during the build. (Required) The name or Amazon Resource Name (ARN) that serves as a unique identifier for the secret. To access a secret in your AWS account, simply specify the secret name. To access a secret in a different AWS account, specify the secret ARN.

version: 0.2

env: secrets-manager: MY_SECRET: SECRET_ID

phases: build: commands: - echo $MY_SECRET

pranayC
  • 31
  • 1
  • 4
  • 1
    I could use it directly of course. The reason for this question was asking how not to use it directly. Or am I missing something you are saying? – hyperdrive Nov 03 '20 at 16:25
1

I faced to same error

set arn to environment variable , like below

export SECRET_ID=arn:aws:secretsmanager:...

it will work

sundy
  • 11
  • 1
0

You can call the AWS API in one of the phases too instead.

version: 0.2

phases:
  build:
    commands:
      - SECRET_JSON=$(aws secretsmanager get-secret-value --secret-id $SECRET_ID)
      - MY_SECRET_VALUE=$(echo $SECRET_JSON | jq -r '.SecretString' | jq -r '.mySecretKey')
      - echo $MY_SECRET_VALUE

Where .SecretString is given by structure of the output of the secretsmanager, and mySecretKey is the custom key of a key-value pair in the secret.

Gergely Borgulya
  • 168
  • 8
  • Thanks for posting, it actually made me go back and look into this, and my original method works now :) – hyperdrive Jan 26 '21 at 21:01
  • 1
    @hyperdrive, how did you get your original method working? I can't get it working for myself. – johnsimer May 01 '21 at 19:46
  • @johnsimer I'm not sure it works for me... In the CodePipeline > Build phase set a plaintext environment var for `SECRET_ID` set to the secret name. Then in the buildspec I reference it exactly how I have it above. – hyperdrive May 31 '21 at 23:40