0

I have a Serverless framework application. I am creating my buildspec.yml to have codeBuild to run my jest test and after passing the test deploying my application. This is my buildspec.yml:

version: 0.2

phases:
  install:
    runtime-versions:
      nodejs: 12
    commands:
      - npm install -g serverless
      - npm install -g serverless-plugin-log-retention
  pre_build:
    commands:
      - npm install -g jest
      - echo aaa
      - echo bbb
      - export AWS_ACCESS_KEY_ID=aaa
      - export AWS_SECRET_ACCESS_KEY=bbb
  build:
    commands:
      - jest
  post_build:
    commands:
      - serverless deploy

How can I set my AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY without having them in plain text on the code? I thought about using secrets manager, but I dont know if thats the best practice.

I use this variables for the action

serverles deploy

As far as I know I need a profile to make the deployment

Fernando Santiago
  • 2,128
  • 10
  • 44
  • 75
  • 1
    Does this answer your question? [How to retrieve Secret Manager data in buildspec.yaml](https://stackoverflow.com/questions/58216549/how-to-retrieve-secret-manager-data-in-buildspec-yaml) – shimo Jul 22 '21 at 05:14
  • Assign permission to codebuild IAM role. – hoangdv Jul 22 '21 at 08:19
  • @shimo yes, it is the way to answer my question, but that answer is still incomplete. If i share the code and enable someone else to push it and run codeBuild, he could be able to see my credentials. I think something is missing in the codebuild role – Fernando Santiago Jul 22 '21 at 14:00
  • @hoangdv can you give an example or explain more? – Fernando Santiago Jul 24 '21 at 12:44
  • 1
    I guess your codebuild permission has permission to create/update/delete lambda function, and maybe other permissions to create Log-group. Let's update the codebuild iam role to assign permissions which require by `serverles deploy` – hoangdv Jul 25 '21 at 01:24

0 Answers0