amazon-web-servicesconcourseaws-secrets-managersecretsmanagerbosh

How to access a key value pair secret from AWS Secrets Manager, in concourse?


I have a concourse environment deployed using bosh. It is configured with AWS Secrets Manager. The pipeline secret template is of the form /concourse/{{.Team}}/{{.Secret}}

I have a secret /concourse/team1/general created in AWS Secrets Manager (Other type of secrets) with the below value.

{
  "gitbranch": "master",
  "hello": "2",
  "general": "hi"
}

I have a concourse pipeline hello-world.yml set in team1 team.

---
jobs:
- name: job
  public: true
  plan:
  - task: check-secret
    config:
      platform: linux
      image_resource:
        type: registry-image
        source: { repository: busybox }
      run:
        path: echo
        args: ["((general))"]

This pipeline outputs the value as

{"gitbranch":"master","hello":"2","general":"hi"}

But, if I change the args (last line) in pipeline to args: ["((general.gitbranch))"], then, I get the below error

failed to interpolate task config: cannot access field 'gitbranch' of non-map value ('string') from var: general.gitbranch

Is it possible to access any of the key value pairs in the secret from AWS Secrets Manager, in the concourse pipeline? If yes, how to do so?


Solution

  • Answering my own question.

    By creating the secret using cli with the parameter --secret-binary, I was able to achieve to fetch the key value pairs.

    (Previously, I was creating the secret from aws console, which got created as a secret string.)

    I used the below command to update my secret to create the secret as a binary.

    b64key=$(base64 secrets.json)
    aws secretsmanager update-secret \
        --secret-id  /concourse/team1/general \
        --secret-binary "$b64key"
    

    I found this using-aws-secrets-manager-with-concourse-ci and it was helpful in solving the issue.

    If anyone knows a way to do this in console, kindly let me know.