stackoom
  简体   繁体   中英

AWS CodeBuild cannot print parameter store environment variables

 原文  2020-06-09 20:04:19       amazon-web-services/ continuous-integration/ aws-codebuild

Question

I keep track of a number in parameter store, and access it during CodeBuild executions. The CodeBuild environment is a Windows machine. I would like to print the environment variable.

I've tried the following:

  1. Print the environment variable as-is: echo $NUMBER
  2. Assign the environment variable to another variable and print: $TMP=$NUMBER; echo $TMP $TMP=$NUMBER; echo $TMP
  3. Echo the environment variable to a text file and print that text file: Add-Content -Path number.txt -Value $NUMBER; Get-Content number.txt Add-Content -Path number.txt -Value $NUMBER; Get-Content number.txt

All of them will be printed as asterisks. It looks like CodeBuild will automatically try to censor environment variable it deems sensitive (maybe all parameter store variables? I couldn't find any documentation on this). This particular env variable is not sensitive and we would like to print it. Is there a possible way?

1 answers

solution1
 6 ACCPTED  2020-06-10 03:56:04

Few months back, CodeBuild implemented best-effort masking of secrets in the build logs. Since the majority use case of Parameter Store is to store sensitive information like passwords, CodeBuild is masking that from build logs. When the values being set as secrets are common strings like numbers or a common word, that will get masked throughout the logs.

Our suggestion for using simple environment variables would be to go with the plain text environment variables, as opposed to Parameter Store or Secrets Manager. Parameter Store and Secrets Manager values will get masked, when the same string is found in the log.

Security is usually not a friend of convenience, so apologies for this but avoiding the leaking of secrets is the primary concern here.

This will be documented properly in the docs soon.

Edit1:

As per my tests, if the Param store variable has the value "ABC", then in the logs anywhere you have "ABC" (even if it is in any other innocent variable) it will be masked.

I guess we are back to square one with this, please use the CLI to obtain the value directly (for a secret value, highly recommend to continue using the buildspec 'parameter-store' construct):

  - MY_VAR=$(aws ssm get-parameter --name BUILD_NUM --query "Parameter.Value" --output text)
  - echo $MY_VAR

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS CodeBuild environment variables for versioning? AWS CodeBuild Default Environment Variables AWS codebuild not passing down environment variables? AWS CodeBuild default environment variables. AWS CodeBuild Batch configuration not passing environment variables Multiple Environment Variables in AWS Codebuild with Terraform Adding environment variables to imagedefinitions.json file in AWS CodeBuild AWS CodePipline & Codebuild - How to add environment variables to the Docker-Image? How to access SSM Parameter Store Values through AWS Lambda Function Environment Variables using Serverless Framework? How can I use AWS Parameter store variables in Elastic Beanstalk Environment Variable?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM