Get values from SecretsManager during Pipeline stages

[davivcgarcia]

I would like to have the Build stage (CodeBuild) getting values from SSM/ParameterStore or SecretsManager. The reason is to handle authentication on Docker Hub and overcome the recent rate limiting applied to anonoymous pulls, without exposing sensitive data in the CodeBuild spec files.

For that I understand that we need to have specific IAM permissions added to CodeBuild, such as ssm:GetParameters or secretsmanager:GetSecretValue, and then use the structure below in the buildspec.yaml:

env:
  parameter-store:
    key: "value"
  secrets-manager:
    key: secret-id:json-key:version-stage:version-id

However, looks like this customization is not yet supported with copilot (#1689).

What is the recommended way for doing that? Is that feature in the roadmap?

[ShanikaEdiriweera]

It would be great if the environment variables/secrets defined in service manifest passed on to the build environment.

[Lou1415926]

Hey there @ShanikaEdiriweera 👋🏼 I'm curious to know what are the secrets that you want in both the service manifest and the build environment, and why the env section in buildspec.yml doesn't suffice 👀 ?

[ShanikaEdiriweera]

My bad. The test database configurations used for integration tests at build stage is same at this stage but could be different for other environments! Thanks for pointing out

[Lou1415926]

Hey @davivcgarcia ! You can actually attach the additional policy via. the build.additional_policy field:

build:
  additional_policy:
    PolicyDocument: 
      {
        “Statement": [
          {
            "Action": ["secretsmanager:GetSecretValue"],
            "Effect": "Allow",
            "Resource": "*"
          }
        ],
        "Version": "2012-10-17"
      }

Thank you for bringing this up - we probably just forgot to close #1689 😅 . Hope this helps!