A Buildkite plugin to expose parameters to build steps via Amazon Systems Manager Parameter Store.
Parameters retrieved from the parameter store are exported as environment variables.
Supported types:
- String
- SecureString
Uploading Parameter to AWS SSM
aws ssm put-parameter --name "MySecret" --value "ThisIsMySecretValue" --type String
The following pipeline step will assume an aws role and then retrieve and decrypt the ssm parameter. The parameter will be exported as an environment variable.
steps:
- label: ":arrow_double_up::load: Load SSM"
command: "env | grep MySecret"
plugins:
- seek-oss/ssm#v0.2.0:
assume-role-arn: "arn:aws:iam::123456789012:role/RoleToAssume-1234567890"
ssmkey: "MySecret"
The resulting environment variable will be named 'MySecret'.
You can change the name of the resulting environment variable by setting envvar
like so:
plugins:
- seek-oss/ssm#v0.2.0:
assume-role-arn: "arn:aws:iam::123456789012:role/RoleToAssume-1234567890"
ssmkey: "MySecret"
envvar: "SecretName"
The environment variable can then be used like in the following examples:
Running commands
$ env | grep MySecret
BUILDKITE_PLUGINS=[{"github.com/seek-oss/ssm-buildkite-plugin#v0.1.0":{"ssmkey":"MySecret","assume-role-arn":"arn:aws:iam::123456789012:role/RoleToAssume-1234567890"}}]
BUILDKITE_SCRIPT_PATH=env | grep MySecret
BUILDBOX_COMMAND=env | grep MySecret
BUILDKITE_COMMAND=env | grep MySecret
BUILDBOX_SCRIPT_PATH=env | grep MySecret
MySecret=ThisIsMySecretValue
This plugin needs to be installed directly in the agent so that parameters can be downloaded before jobs attempt checking out your repository.
We are going to assume that buildkite has been installed at /buildkite
, but this will vary depending on your operating system.
Change the instructions accordingly.
# clone to a path your buildkite-agent can access
git clone https://github.com/seek-oss/ssm-buildkite-plugin.git /buildkite/ssm
Before running commands the agent will run the pre-command hook (see https://buildkite.com/docs/agent/v3/hooks#available-hooks):
if [[ "${SSM_PLUGIN_ENABLED:-1}" == "1" ]] ; then
source /buildkite/ssm/hooks/pre-command
fi
When run via the agent pre-command, if specified a role will be assumed, the SSM parameter will be retrieved and decrypted. The value is then exported as environment variables.
MIT (see LICENSE)
Credit to Buildkite plugin for the assume IAM Role.