How to properly retrieve secrets from Amazon Secrets Manager


#1

Hello,

I was able to configure concourse to pull secrets from aws secret manager. Now, I see that I cannot reference values stored in the secret but only pull the entire secret.

For instance, my configuration:

jobs:

  • name: hello-world
    plan:
    • task: say-hello
      config:
      image_resource:
      source:
      repository: ubuntu
      type: docker-image
      params:
      name: ((username))
      platform: linux
      run:
      path: env

In this case I have a secret called username, which contains two values: username and password. The pipeline returns this:

name={“username”:“guest”,“password”:“guest”}

Is it possible to reference a certain value in my secret or is it better to store a dedicated secret for each value?

With vault example, I noticed this approach:

private_key:  (( vault "secret/pipelines/shared/github:private_key" ))
access_token: (( vault "secret/pipelines/shared/github:access_token" ))

In this case, I assume vault is an operator passed in parentheses. Is there one for aws secret manager?

Update:

I found an approach to use meta to organize the values that can be passed to the tasks. I am trying to implement this but only using aws secrets: https://github.com/starkandwayne/concourse-pullrequest-playtime/tree/master/ci

How can I define aws secrets in meta portion so that they can be passed to the tasks? I tried specifying secrets in meta but it doesn’t expand. Is using secrets only possible via “params:” ? I think aws secrets operator would help but I cannot find any documentation on it.

Is this supported:

  • name: git-pull-requests
    type: pull-request
    source:
    access_token: ((git_access_token))
    base: concourse_ci
    private_key: ((git_private_key))
    repo: mygitrepo

where ((git_access_token)) and ((git_private_key)) are secrets stored in aws?

Anyone?

Unfortunately this doesn’t seem to work:

resources:

  • name: git
    type: git
    source:
    private_key: (( git_private_key )) ------>>> secret stored in aws

but accessing secrets via params (example job above) works fine. Any suggestions?


#2

I use private keys stored in vault and you should be able to use them with amazon secrets manager


#3

@pfijalki
I agree, it should work with amazon secrets. In this example above, I found how I could retrieve secrets with vault but I couldn’t find any documentation on amazon secrets. This page only talks about accessing secrets via params:

https://concourse-ci.org/creds.html#asm

Any suggestions?


#4

@Dan

I think you should have a setup

private_key: ((your-private-key))

and in your secrets manager key somewhere in

/concourse/TEAM_NAME/PIPELINE_NAME/your-private-key

or

/concourse/TEAM_NAME/your-private-key

Please note that in case of vault I need to have a key for instance

/concourse/TEAM_NAME/your-private-key with value ‘value’ which contains actual value :wink: I know it might be confusing but vault is a kv store, so in this case it should have

key: /concourse/TEAM_NAME/your-private-key
value: value=ACTUAL_VALUE

maybe there’s similar case with your secret manager. For me it was also very useful to grep logs with ‘vault’ or your-private-key to get errors


#5

I think I found the problem. When I was testing the resource I was running this:
fly -t example check-resource --resource pipelie/git, which triggers the resource and in this case it was able to fetch the secret. However, the automatic resource check returns “Expected to find variables: git_private_key”. I am still learning concourse so wasn’t sure initially what was going on but now I can clearly reproduce it.
I think the automatic lookup is unable to fetch/determine value of ((git_private_key)). Only when I manually trigger the resource it works.


#6

Really is this a case ? Running

fly -t example cr -r pipeline/git

afaik does the same job as is periodically run on the resource


#7

Yeah. It is strange but running this fly -t example cr -r pipeline/git reports a successful check and when I go to a container I see my private key there. Then after a minute (when concourse automatically triggers it) I get:

Expected to find variables: git_private_key.

Update:

I was using concourse helm chart and it also had kubernetes secrets enabled. After I disabled it and restarted the pods it started to work fine. There was probably a conflict between credential managers when it tried to look it up. Woohoo.


#8

@Dan
I think you’ve stumbled on to a regression that I’m also seeing with AWS SSM. I think it might have something to do with the aws-sdk-go package dep being updated, but I’m not 100%. I’m going to open an issue to track my findings.


#9

Hi,

please see original pull request for SecretsManager support… If you want to store/retrieve a multi-value variable, the value in SecretsManager must be of type “SecretBinary”.

Best,

Sascha