AWS codepipeline medium security documentation change
Summary
Expanded documentation on environment types, compute types, and environment variables with security guidance for Secrets Manager integration
Security assessment
Added explicit warnings about plaintext environment variable risks, documented SECRETS_MANAGER integration with required IAM permissions, and highlighted risks of pipeline edit access exposing secrets. These changes directly address secure secret handling practices.
Diff
diff --git a/codepipeline/latest/userguide/action-reference-Commands.md b/codepipeline/latest/userguide/action-reference-Commands.md index c19d10f8e..02857301d 100644 --- a//codepipeline/latest/userguide/action-reference-Commands.md +++ b//codepipeline/latest/userguide/action-reference-Commands.md @@ -141 +141,25 @@ Multi-line formats are not supported and will result in an error message. Single -The following details provide the default compute that is used for the Commands action. For more information, see [Build environment compute modes and types](https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-compute-types.html) reference in the CodeBuild User Guide. +###### Important + +The EnvironmentType and ComputeType values match those in CodeBuild. We support a subset of the available types. For more information, see [Build Environment Compute Types](https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-compute-types.html). + +**EnvironmentType** + + +Required: No + +The OS image for the build environment that supports the Commands action. The following are valid values for build environments: + + * LINUX_CONTAINER + + * WINDOWS_SERVER_2022_CONTAINER + + + + +The selection for **EnvironmentType** will then allow the compute type for that OS in the **ComputeType** field. For more information about the CodeBuild compute types available for this action, see the [Build environment compute modes and types](https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-compute-types.html) reference in the CodeBuild User Guide. + +###### Note + +If not specified, the compute defaults to the following for the build environment: + + * **Compute type:** BUILD_GENERAL1_SMALL @@ -143 +167 @@ The following details provide the default compute that is used for the Commands - * **CodeBuild image:** aws/codebuild/amazonlinux2-x86_64-standard:5.0 + * **Environment type:** LINUX_CONTAINER @@ -145 +168,0 @@ The following details provide the default compute that is used for the Commands - * **Compute type:** Linux Small @@ -147 +169,0 @@ The following details provide the default compute that is used for the Commands - * **Environment computeType value:** BUILD_GENERAL1_SMALL @@ -149 +170,0 @@ The following details provide the default compute that is used for the Commands - * **Environment type value:** LINUX_CONTAINER @@ -150,0 +172 @@ The following details provide the default compute that is used for the Commands +**ComputeType** @@ -152,0 +175,16 @@ The following details provide the default compute that is used for the Commands +Required: No + +Based on the selection for EnvironmentType, the compute type can be provided. The following are available values for compute; however, note that the options available can vary by OS. + + * BUILD_GENERAL1_SMALL + + * BUILD_GENERAL1_MEDIUM + + * BUILD_GENERAL1_LARGE + + + + +###### Important + +Some compute types are not compatible with certain environment types. For example, WINDOWS_SERVER_2022_CONTAINER is not compatible with BUILD_GENERAL1_SMALL. Using incompatible combinations causes the action to fail and generates a runtime error. @@ -192,0 +231,35 @@ The security groups for the VPC. This field is needed when your commands need to +The following is a JSON example of the action with configuration fields shown for environment and compute type, along with example environment variable. + + + { + "name": "Commands1", + "actionTypeId": { + "category": "Compute", + "owner": "AWS", + "provider": "Commands", + "version": "1" + }, + "inputArtifacts": [ + { + "name": "SourceArtifact" + } + ], + "commands": [ + "ls", + "echo hello", + "echo $BEDROCK_TOKEN", + ], + "configuration": { + "EnvironmentType": "LINUX_CONTAINER", + "ComputeType": "BUILD_GENERAL1_MEDIUM" + }, + "environmentVariables": [ + { + "name": "BEDROCK_TOKEN", + "value": "apiTokens:bedrockToken", + "type": "SECRETS_MANAGER" + } + ], + "runOrder": 1 + } + @@ -212 +285 @@ The security groups for the VPC. This field is needed when your commands need to -The key in a key-value environment variable pair, such as `Name`. +The key in a key-value environment variable pair, such as `BEDROCK_TOKEN`. @@ -217 +290,39 @@ The key in a key-value environment variable pair, such as `Name`. -The value for the key-value pair, such as `Production`. The value can be parameterized with output variables from pipeline actions or pipeline variables. +The value for the key-value pair, such as `apiTokens:bedrockToken`. The value can be parameterized with output variables from pipeline actions or pipeline variables. + +When using the `SECRETS_MANAGER` type, this value must be the name of a secret you have already stored in AWS Secrets Manager. + +**Type** + + +Specifies the type of use for the environment variable value. The value can be either `PLAINTEXT` or `SECRETS_MANAGER`. If the value is `SECRETS_MANAGER`, provide the Secrets reference in the `EnvironmentVariable` value. When not specified, this defaults to `PLAINTEXT`. + +###### Note + +We strongly discourage the use of _plaintext_ environment variables to store sensitive values, especially AWS credentials. When you use the CodeBuild console or AWS CLI, _plaintext_ environment variables are displayed in plain text. For sensitive values, we recommend that you use the `SECRETS_MANAGER` type instead. + +###### Note + +When you enter the `name`, `value`, and `type` for your environment variables configuration, especially if the environment variable contains CodePipeline output variable syntax, do not exceed the 1000-character limit for the configuration’s value field. A validation error is returned when this limit is exceeded. + +For an example action declaration showing an environment variable, see Configuration parameters. + +###### Note + + * The `SECRETS_MANAGER` type is only supported for the Commands action. + + * Secrets referenced in the Commands action will be redacted in the build logs similar to CodeBuild. But pipeline users who have **Edit** access to the pipeline can still potentially access these secret values by modifying the commands. + + * To use the SecretsManager, you must add the following permissions to your pipeline service role: + + { + "Effect": "Allow", + "Action": [ + "secretsmanager:GetSecretValue" + ], + "Resource": [ + "SECRET_ARN" + ] + } + + +