Reputation: 1846
AWS CodeBuild secrets-manager config with environment variable
Update:
Not sure when this happened, but this works as is described now.
As well as an option in the Pipeline build action to set the secret directly.
Original Question:
I have an environment variable set for the secret-id set inside the build phase of a AWS CodePipeline. eg. $SECRET_ID.
I want to use it in the CodeBuild buildspec.yml to get a set of secrets from the Secrets Manager based on my environment. Is it possible to self-reference other variables in a buildspec file?
This is how I would have anticipated it would work, but it doesn't.
version: 0.2
env:
secrets-manager:
MY_SECRET: ${SECRET_ID}
phases:
build:
commands:
- echo $MY_SECRET
I receive the following error in the build logs.
Secrets Manager Error Message: ValidationException: Invalid name. Must be a valid name containing alphanumeric characters, or any of the following: -/_+=.@!
Upvotes: 10
Views: 16497
Answers (3)
Reputation: 188
You can call the AWS API in one of the phases too instead.
version: 0.2
phases:
build:
commands:
- SECRET_JSON=$(aws secretsmanager get-secret-value --secret-id $SECRET_ID)
- MY_SECRET_VALUE=$(echo $SECRET_JSON | jq -r '.SecretString' | jq -r '.mySecretKey')
- echo $MY_SECRET_VALUE
Where .SecretString is given by structure of the output of the secretsmanager, and mySecretKey is the custom key of a key-value pair in the secret.
Upvotes: 2
Reputation: 41
You simply need to reference it directly. as : where -
(Required) The local environment variable name. Use this name to access the variable during the build. (Required) The name or Amazon Resource Name (ARN) that serves as a unique identifier for the secret. To access a secret in your AWS account, simply specify the secret name. To access a secret in a different AWS account, specify the secret ARN.version: 0.2
env: secrets-manager: MY_SECRET: SECRET_ID
phases: build: commands: - echo $MY_SECRET
Upvotes: 3
Reputation: 11
I faced to same error
set arn to environment variable , like below
export SECRET_ID=arn:aws:secretsmanager:...
it will work
Upvotes: 1
Related Questions
- AWS Codebuild knows my secret values, but won't inject them into my commands
- Passing EnvironmentVariables from AWS Codepipeline to CodeBuild
- AWS Code Build: environment variables not found during CI jobs
- AWS CodeBuild default environment variables.
- AWS CodeBuild cannot print parameter store environment variables
- AWS code build with env variables from build-spec.yml
- Run aws cli command in CodeBuild with environment variable substituion
- How to create an environment file specific for build system using aws code build
- Handling run time and build time secrets in AWS CodePipeline
- AWS codebuild not passing down environment variables?