[SOLVED] AWS Codebuild knows my secret values, but won't inject them into my commands

AWS Codebuild knows my secret values, but won't inject them into my commands

I have a situation where I have a secret important_secret stored in secrets manager with a secret value of

{
    "tf_cloud_token": "super_secret"
}

In the codebuild console, I have linked it up:

In my buildspec, I have:

{
  "version": 0.2,
  "env": {
    "variables": {},
    "secrets-manager": {
      "SECRET_TF_CLOUD_TOKEN": "important_secret:tf_cloud_token",
    },
    "git-credential-helper": "yes"
  },
  "phases": {
    "build": {
      "commands": [
        "printf 'blah \"$SECRET_TF_CLOUD_TOKEN\"' > ~/.terraformrc",
        "more ~/.terraformrc",
        ...

But it will just log blah "$SECRET_TF_CLOUD_TOKEN".

However, when I change it to:

    ...
    "commands": [
      "printf 'blah \"super_secret\"' > ~/.terraformrc",
      "more ~/.terraformrc"
      ...

It'll log blah "***".

Therefore, it definitely knows about my secret value but it's just not injecting it properly.

How do I get it to use the SECRET_TF_CLOUD_TOKEN environment variable I have prepared for it?

Solution

Fix the string interpolation: "echo blah \"$SECRET_TF_CLOUD_TOKEN\" > ~/.terraformrc"

SECRET_TF_CLOUD_TOKEN="my-secret"

echo blah \"$SECRET_TF_CLOUD_TOKEN\" > ~/.terraformrc

cat ~/.terraformrc
# -> blah "my-secret"