Cannot access AWS configuration

Pipelines
1

Hi Buildkite team,

We have some issues with Secrets, could you please help me check them?

  1. Secrets keep showing on the UI of pipeline steps.
  • I would like to set AWS credentials as Agent secrets
  • However, I cannot access the secrets from pipeline steps
  • I have to get the secrets from pre-command hook and then export the secrets
  • The secrets keep showing on the UI when I use them in pipeline steps
  1. To resolve the 1st issue, I would like to configure aws credentials in the pre-command hook, but I cannot access the credentials in pipeline step. It works well for other plugins such as: artifacts,…

Could you please tell me if there is a way for us to use the secrets without showing them on the UI?

Thanks.

2

Hello @son.propte,

Could you please confirm where you are seeing the secrets in the UI? Is it under the “Environment” tab of your job? Or is it in the job log?

Have you tried using the Buildkite agent’s environment hook to export secrets to a job?

Let me know if this helps.

3

:wave: On that same page shared previously, you can check for suggestions on how to handle secrets, and particularly about never referencing secrets in your pipeline YAML (which I believe is the issue you are having now). Using a secret storage service is what we recommend, but alternatively, to prevent the risk of interpolation, you should replace the command block with a script in your repository: Writing build scripts | Buildkite Documentation

Cheers!

4

Hi @paula , I tried this one but it doesn’t work

Screenshot 2024-06-27 at 16.05.32
Screenshot 2024-06-27 at 16.05.322106×456 52.7 KB

AWS_ACCESS_KEY_ID is not exposed in the pipeline steps anymore, but it gets empty when running pipline.

Screenshot 2024-06-27 at 16.08.38
Screenshot 2024-06-27 at 16.08.381275×305 64 KB

What should be your recommendation?

5

Hi @paula ,

There is one more issue, I’m not sure, but somehow, I cannot access the secrets in my shell scripts.

I tried to use the secrets in my scripts directly but the variables still get empty.

Screenshot 2024-06-27 at 16.11.14
Screenshot 2024-06-27 at 16.11.142210×494 65.6 KB

What should I do to access the secrets from shell scripts?

6

Hello @son.propte,

Are you using a secrets storage service or are you exporting secrets with an environment hook?

Could you please share links to builds illustrating the behaviour you’re observing?

For privacy and security reasons, make sure to send the links to your builds via email only to support@buildkite.com. (Do not post the links in this forum post).

Thank you.