5

I am using CodeBuild to access the Systems Manager Parameter Store. In buildspec.yml, I have the parameter-store configured to access some values in Systems Manager (I certainly have the /mysite/dev/mongodb_uri created in parameter store):

version: 0.2

env:
  variables:
    MONGO_URI: 'mongodb+srv'
  parameter-store:
    MONGODB_URI: /mysite/dev/mongodb_uri

phases:
  pre_build:
    commands:
      - echo $MONGO_URI
      - echo $MONGODB_URI

Unfortunately, while CodeBuild will echo out the value for key in the variables object, it will not for the parameter-store object: 

[Container] 2019/12/24 03:16:09 Running command echo $MONGO_URI 
mongodb+srv 

[Container] 2019/12/24 03:16:09 Running command echo $MONGODB_URI 
***

It just gives me 3 stars. If I use aws cli, I get the right value:

$ aws ssm get-parameters --names "/mysite/dev/mongodb_uri"
{
    "Parameters": [
        {
            "Name": "/mysite/dev/mongodb_uri",
            "Type": "String",
            "Value": "mongodb+srv://myuser:mypassword@mysite-cluster-n1qub.mongodb.net/test?retryWrites=true&w=majority",
            "Version": 2
        }
    ],
    "InvalidParameters": []
}

My CodeBuild Service Role policies grant me access to Systems Manager:

{
        "Effect": "Allow",
        "Action": [
            "ssm:GetParameters",
            "ssm:DescribeParameters",
            "ssm:GetParameter",
            ...
        ],
        "Resource": [
            "arn:aws:logs:us-east-2:880783130023:log-group:/aws/codebuild/mysite-dev",
            "arn:aws:logs:us-east-2:880783130023:log-group:/aws/codebuild/mysite-dev:*",
            "arn:aws:s3:::codepipeline-us-east-2-*",
            "arn:aws:ssm:us-east-2:880783130023:parameter/mysite/dev/*",
            "arn:aws:codebuild:us-east-2:880783130023:report-group/mysite-dev-*",
            "arn:aws:ssm:us-east-2:880783130023:*"
        ]
    }

So why does it give me '***' instead of the actual value when I echo the parameter in buildspec?

Daniel Viglione
  • 217
  • 3
  • 9

1 Answers1

6

The "***" is the masking of parameter store output in your log file. The value is available in the environment variable $MONGODB_URI and can be used to pass along to any command or script that needs this value. CodeBuild is merely doing a best-effort masking of log statement which may contain sensitive information.

Also, if you must see the value printed out, you may assign $MONGODB_URI to another variable within your buildspec and print that out.

Subin Mathew
  • 176
  • 4
  • Thanks, I assign it to another variable and still get *** ,-LAST_BUILD_NUMBERR=$LAST_BUILD_NUMBER - echo $LAST_BUILD_NUMBERR – alireza Oct 01 '23 at 10:20