Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[aws-ecr-assets] Unable to provide secrets to DockerImageAsset build from SSM #11623

Closed
markusl opened this issue Nov 22, 2020 · 3 comments
Closed

[aws-ecr-assets] Unable to provide secrets to DockerImageAsset build from SSM #11623

markusl opened this issue Nov 22, 2020 · 3 comments
Assignees
@rix0rrr
Labels
@aws-cdk/aws-ecr-assets Related to AWS CDK Docker Image Assets bug This issue is a bug. effort/medium Medium work item – several days of effort p1
Milestone
[GA] CDK Pipelines

Comments

@markusl
Copy link
Contributor

markusl commented Nov 22, 2020
edited

It is common to include company internal artifacts or require some other integrations when running Docker asset builds.
In our case, we just want to simply install some internal NPM packages when building the components.

Using buildArgs of DockerImageAsset for reading parameters from the SSM Secure Strings does not seem to be supported?

This is also somewhat related to #10151 as the internal repositories can only be accessed via VPC connections.

Workaround

The pipeline setup contains:

    synthAction: pipelines.SimpleSynthAction.standardNpmSynth({
      environment: { privileged: true },
      sourceArtifact,
      cloudAssemblyArtifact,

      buildCommand: 'npm run build',
      subdirectory: 'cdk',
      environmentVariables: {
        NPM_TOKEN: {
          type: codebuild.BuildEnvironmentVariableType.PARAMETER_STORE,
          value: 'company-internal-artifactory-token'
        },
      }
    }),

The asset image build uses the provided NPM_TOKEN:

  const dockerAsset = new assets.DockerImageAsset(scope, 'app', {
    directory: '../app',
    buildArgs: {
      NPM_TOKEN: process.env.NPM_TOKEN ?? ''
    }
  });

What did you expect to happen?

We'd like to have a documented way of providing some secrets to the DockerImageAsset.

What actually happened?

The provided secret is printed to the build log without masking it, which is not optimal.

verbose: [0%] debug: docker build --build-arg NPM_TOKEN=xxxxxxxxxx== --tag cdkasset-257bfb6650e113016f7693018e8213ccb5b96188bec5ddeaa4ca282485a31d63 .

Environment

  • CDK CLI Version : 1.74.0 (build e86602f)
  • Framework Version: 1.74.0 (build e86602f)
  • Node.js Version: v14.15.0
  • OS : macOs
  • Language (Version): TypeScript 4

Other

This is 🐛 Bug Report
@markusl markusl added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 22, 2020
@github-actions github-actions bot added the @aws-cdk/aws-ecr-assets Related to AWS CDK Docker Image Assets label Nov 22, 2020
@eladb eladb assigned rix0rrr and unassigned eladb Nov 29, 2020
@rix0rrr rix0rrr added this to the [GA] CDK Pipelines milestone Nov 30, 2020
@rix0rrr rix0rrr added effort/medium Medium work item – several days of effort p1 labels Nov 30, 2020
@SomayaB SomayaB removed the needs-triage This issue or PR still needs to be triaged. label Nov 30, 2020
@rix0rrr
Copy link
Contributor

rix0rrr commented Jan 7, 2021

Duplicate of #10999

@rix0rrr rix0rrr marked this as a duplicate of #10999 Jan 7, 2021
@rix0rrr rix0rrr closed this as completed Jan 7, 2021
@github-actions
Copy link

github-actions bot commented Jan 7, 2021

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@ColeMurray
Copy link

ColeMurray commented Mar 13, 2021
edited

@markusl,

You can use secrets manager and EnvironmentVariableType.SECRETS_MANAGER type to overcome this.

Example:

const synthAction = SimpleSynthAction.standardNpmSynth({
            sourceArtifact,
            cloudAssemblyArtifact,
            installCommand: "npm install -g npm && npm ci",
            buildCommand: 'npm run build',
            rolePolicyStatements: [new iam.PolicyStatement({
                resources: ["*"],
                actions: ["secretsmanager:GetSecretValue"]
            })],
            subdirectory: './deployment',
            environment: {
                privileged: true,
                environmentVariables: {
                    NPM_TOKEN:  {
                        value: '<YOUR VALUE NAME HERE>',
                        type: BuildEnvironmentVariableType.SECRETS_MANAGER
                    }
                }

            },

        });

@markusl markusl mentioned this issue Oct 9, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rix0rrr rix0rrr

Labels
@aws-cdk/aws-ecr-assets Related to AWS CDK Docker Image Assets bug This issue is a bug. effort/medium Medium work item – several days of effort p1
Projects
None yet
Milestone
[GA] CDK Pipelines
Development

No branches or pull requests
5 participants
@rix0rrr @eladb @markusl @ColeMurray @SomayaB