I keep track of a number in parameter store, and access it during CodeBuild executions. The CodeBuild environment is a Windows machine. I would like to print the environment variable.
I've tried the following:
echo $NUMBER
$TMP=$NUMBER; echo $TMP
$TMP=$NUMBER; echo $TMP
Add-Content -Path number.txt -Value $NUMBER; Get-Content number.txt
Add-Content -Path number.txt -Value $NUMBER; Get-Content number.txt
All of them will be printed as asterisks. It looks like CodeBuild will automatically try to censor environment variable it deems sensitive (maybe all parameter store variables? I couldn't find any documentation on this). This particular env variable is not sensitive and we would like to print it. Is there a possible way?
Few months back, CodeBuild implemented best-effort masking of secrets in the build logs. Since the majority use case of Parameter Store is to store sensitive information like passwords, CodeBuild is masking that from build logs. When the values being set as secrets are common strings like numbers or a common word, that will get masked throughout the logs.
Our suggestion for using simple environment variables would be to go with the plain text environment variables, as opposed to Parameter Store or Secrets Manager. Parameter Store and Secrets Manager values will get masked, when the same string is found in the log.
Security is usually not a friend of convenience, so apologies for this but avoiding the leaking of secrets is the primary concern here.
This will be documented properly in the docs soon.
As per my tests, if the Param store variable has the value "ABC", then in the logs anywhere you have "ABC" (even if it is in any other innocent variable) it will be masked.
I guess we are back to square one with this, please use the CLI to obtain the value directly (for a secret value, highly recommend to continue using the buildspec 'parameter-store' construct):
- MY_VAR=$(aws ssm get-parameter --name BUILD_NUM --query "Parameter.Value" --output text)
- echo $MY_VAR
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.