How to retrive secret from AWS Secret Manager during GitLab CI/CD

Question

In GitLab's CI/CD pipeline I want to retrieve the secret from AWS secret manager and assigned it to a variable DATABASE_CONNECTION. The runner has access to AWS SM and I would like to use AWS CLI to do that

deploy-dev:      # This job runs in the deploy stage.
  image: dockerxxxx/awscli
  stage: deploy
  environment: 
    name: development
  script:
    - aws secretsmanager get-secret-value --secret-id MyTestSecret

This returns a JSON something like

{
    "ARN": "arn:aws:secretsmanager:us-west-2:123456789012:secret:MyTestSecret-a1b2c3",
    "Name": "MyTestSecret",
    "VersionId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
    "SecretString": "{\"DB_URL\":\"connection string\"}",
    "VersionStages": [
        "AWSCURRENT"
    ],
    "CreatedDate": 1523477145.713
}

How do I assign value of DB_URL to DATABASE_CONNECTION in script?

I know GitLab has variable option to store secret with Mask On. But for security reason I am not allowed to use that option. GitLab has integration with vault but I don't have that option either

Answer 1

You can use the --output and --query parameters for the get-secret-value command in order to get the raw secret text as the result of the command. In this case, because your secret is a JSON-formatted string, you can then use jq to parse the JSON in the secret.

script: # be sure to install `jq` if needed
  - jq --version  # make sure jq is installed!
  - secret_value="$(aws secretsmanager get-secret-value --secret-id MyTestSecret --output text --query SecretString)"
  - db_url="$(jq -r .DB_URL <<< $secret_value)"
  # db_url will contain the value of the DB_URL key in your secret JSON string

  - export MY_APP_CONNECTION_STRING="$db_url"  # or however you need to use it