Integrating AWS CodeBuild with AWS Secrets Manager allows you to securely manage and use sensitive information like API keys, passwords, or database credentials within your build projects. 

Lets see how to achieve this integration:

Step 1: Store Your Secret in AWS Secrets Manager

  • Create a Secret in Secrets Manager:
  • Go to the AWS Secrets Manager Console.
  • Click on "Store a new secret".
  • Choose the type of secret you want to store (e.g., "Other type of secrets").
  • Enter your secret details (e.g., key-value pairs).
  • Click "Next" and follow the prompts to name and save your secret.

Step 2: Set Up IAM Permissions
  1. Create a Policy for Secrets Manager:
  • Go to the IAM service in the AWS Management Console.
  • Create a new policy with permissions to access the secret.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": "arn:aws:secretsmanager:your-region:your-account-id:secret:myapp/dbcredentials"
        }
    ]
}
  1. Attach Policy to CodeBuild Service Role:
  • Find the IAM role associated with your CodeBuild project (usually named something like codebuild-<project-name>-service-role).
  • Attach the newly created policy to this role.

Step 3: Modify Your CodeBuild Project
  1. Edit Environment Variables:
  • Go to the CodeBuild project in the AWS Management Console.
  • Edit the build project.
  • Add an environment variable for the secret name. For example:
SECRET_NAME=myapp/dbcredentials
  1. Modify buildspec.yml to Retrieve Secrets
  • Modify your buildspec.yml file to retrieve the secret from Secrets Manager using the AWS CLI and export it as environment variables.
version: 0.2
phases:
  install:
    runtime-versions:
      python: 3.8
    commands:
      - pip install boto3
  pre_build:
    commands:
      - echo "Fetching secrets from AWS Secrets Manager"
      - |
        SECRET_JSON=$(aws secretsmanager get-secret-value --secret-id <SECRET_NAME> --query SecretString --output text)
        export DB_USERNAME=$(echo $SECRET_JSON | jq -r '.db_username')
        export DB_PASSWORD=$(echo $SECRET_JSON | jq -r '.db_password')
  build:
    commands:
      - echo "Building the project"
      - ./build_script.sh
  post_build:
    commands:
      - echo "Build completed"


Explanation:
  • Install Phase: Install boto3 and jq for interacting with AWS services and parsing JSON, respectively.
  • Pre-build Phase: Fetch secrets using the AWS CLI and export them as environment variables.
  • Build Phase: Run your build commands, which can now use the environment variables containing the secrets.

Step 4: Test the Integration
Run a Build:
  • Start a build of your CodeBuild project.
  • Check the build logs to ensure the secret values are being retrieved and used correctly.

Points to remember:
  • Secure Your Secrets: Ensure your IAM roles and policies follow the principle of least privilege.
  • Rotate Secrets Regularly: Use AWS Secrets Manager to rotate your secrets automatically.
  • Audit and Monitor Access: Use AWS CloudTrail to monitor and log access to your secrets.
By following these steps, you can securely integrate AWS CodeBuild with AWS Secrets Manager, ensuring that sensitive information is handled safely throughout your build process.