/aws-sm-buildkite-plugin

Buildkite plugin for working with AWS Secrets Manager

Primary LanguageShellBSD 3-Clause Clear LicenseBSD-3-Clause-Clear

AWS Secrets Manager Buildkite Plugin

A Buildkite plugin to read secrets from AWS Secrets Manager.

Unlike AWS Systems Manager (AWS SSM) Parameter Store, AWS Secrets Manager (AWS SM) supports:

  • Cross account access without assuming a role; and
  • The ability to setup automatic rotation of secrets

Setup

This plugins requires AWS CLI version 1.15 or above, as AWS Secrets Manager support is relatively new.

See AWS Setup for instructions on setting up the provider AWS account, and the build agent permissions.

Supported Secrets

This plugin supports both SecretString and SecretBinary AWS SM secret types.

SecretString

A AWS SM secret string may be plaintext or key/value. If you create a key/value secret, then the JSON will be returned. This plugin does not yet support expanding the plugin for you, but jq can be used to pull JSON values out.

SecretStrings can be exposed in an environment variable (env) or saved to a file.

SecretBinary

Binary secrets can be saved to a file. They cannot be used with env (as they contain binary data).

Example

For Secrets in the Same Account

For secrets in the same AWS account as the agent, you can use the secret name rather than the whole ARN.

steps:
  - commands: 'echo \$MY_SECRET'
    plugins:
      - seek-oss/aws-sm#v0.0.5:
          env:
            MY_SECRET: my-secret-id
            MY_OTHER_SECRET: my-other-secret-id
          file:
            - path: 'save-my-secret-here'
              secret-id: 'my-secret-file-id'
            - path: 'save-my-other-secret-here'
              secret-id: 'my-other-secret-file-id'

For Secrets in Another Account

For secrets in another AWS account, use the secret ARN.

steps:
  - commands: 'echo \$SECRET_FROM_OTHER_ACCOUNT'
    plugins:
      - seek-oss/aws-sm#v0.0.5:
          env:
            SECRET_FROM_OTHER_ACCOUNT: 'arn:aws:secretsmanager:ap-southeast-2:1234567:secret:my-global-secret'
          file:
            - path: 'save-my-other-secret-here'
              secret-id: 'arn:aws:secretsmanager:ap-southeast-2:1234567:secret:my-global-file-secret'

Using Secrets in Another Plugin

Per the examples above, the preferred plugin YAML syntax is to the use an array of plugins over the object-key syntax, as this ensures consistent ordering between plugins. It's thus possible to use secrets from this plugin in another plugin:

steps:
  - command: npm publish
    plugins:
      - seek-oss/aws-sm#v0.0.5:
          env:
            MY_TOKEN: npm-publish-token
      - seek-oss/private-npm#v1.1.1:
          env: MY_TOKEN

Tests

To run the tests of this plugin, run

docker-compose run --rm tests

License

MIT (see LICENSE)