AWS Security ChangesHomeSearch

AWS codepipeline medium security documentation change

Service: codepipeline · 2025-05-10 · Security-related medium

File: codepipeline/latest/userguide/action-reference-Commands.md

Summary

Expanded documentation on environment types, compute types, and environment variables with security guidance for Secrets Manager integration

Security assessment

Added explicit warnings about plaintext environment variable risks, documented SECRETS_MANAGER integration with required IAM permissions, and highlighted risks of pipeline edit access exposing secrets. These changes directly address secure secret handling practices.

Diff

diff --git a/codepipeline/latest/userguide/action-reference-Commands.md b/codepipeline/latest/userguide/action-reference-Commands.md
index c19d10f8e..02857301d 100644
--- a//codepipeline/latest/userguide/action-reference-Commands.md
+++ b//codepipeline/latest/userguide/action-reference-Commands.md
@@ -141 +141,25 @@ Multi-line formats are not supported and will result in an error message. Single
-The following details provide the default compute that is used for the Commands action. For more information, see [Build environment compute modes and types](https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-compute-types.html) reference in the CodeBuild User Guide.
+###### Important
+
+The EnvironmentType and ComputeType values match those in CodeBuild. We support a subset of the available types. For more information, see [Build Environment Compute Types](https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-compute-types.html).
+
+**EnvironmentType**
+    
+
+Required: No
+
+The OS image for the build environment that supports the Commands action. The following are valid values for build environments:
+
+  * LINUX_CONTAINER
+
+  * WINDOWS_SERVER_2022_CONTAINER
+
+
+
+
+The selection for **EnvironmentType** will then allow the compute type for that OS in the **ComputeType** field. For more information about the CodeBuild compute types available for this action, see the [Build environment compute modes and types](https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-compute-types.html) reference in the CodeBuild User Guide.
+
+###### Note
+
+If not specified, the compute defaults to the following for the build environment:
+
+  * **Compute type:** BUILD_GENERAL1_SMALL
@@ -143 +167 @@ The following details provide the default compute that is used for the Commands
-  * **CodeBuild image:** aws/codebuild/amazonlinux2-x86_64-standard:5.0
+  * **Environment type:** LINUX_CONTAINER
@@ -145 +168,0 @@ The following details provide the default compute that is used for the Commands
-  * **Compute type:** Linux Small
@@ -147 +169,0 @@ The following details provide the default compute that is used for the Commands
-  * **Environment computeType value:** BUILD_GENERAL1_SMALL
@@ -149 +170,0 @@ The following details provide the default compute that is used for the Commands
-  * **Environment type value:** LINUX_CONTAINER
@@ -150,0 +172 @@ The following details provide the default compute that is used for the Commands
+**ComputeType**
@@ -152,0 +175,16 @@ The following details provide the default compute that is used for the Commands
+Required: No
+
+Based on the selection for EnvironmentType, the compute type can be provided. The following are available values for compute; however, note that the options available can vary by OS.
+
+  * BUILD_GENERAL1_SMALL
+
+  * BUILD_GENERAL1_MEDIUM
+
+  * BUILD_GENERAL1_LARGE
+
+
+
+
+###### Important
+
+Some compute types are not compatible with certain environment types. For example, WINDOWS_SERVER_2022_CONTAINER is not compatible with BUILD_GENERAL1_SMALL. Using incompatible combinations causes the action to fail and generates a runtime error.
@@ -192,0 +231,35 @@ The security groups for the VPC. This field is needed when your commands need to
+The following is a JSON example of the action with configuration fields shown for environment and compute type, along with example environment variable.
+    
+    
+     {
+                "name": "Commands1",
+                "actionTypeId": {
+                  "category": "Compute",
+                  "owner": "AWS",
+                  "provider": "Commands",
+                  "version": "1"
+                },
+                "inputArtifacts": [
+                  {
+                    "name": "SourceArtifact"
+                  }
+                ],
+                "commands": [
+                  "ls",
+                  "echo hello",
+                  "echo $BEDROCK_TOKEN",
+                ],
+                "configuration": {
+                  "EnvironmentType": "LINUX_CONTAINER",
+                  "ComputeType": "BUILD_GENERAL1_MEDIUM"
+                },
+                "environmentVariables": [
+                  {
+                    "name": "BEDROCK_TOKEN",
+                    "value": "apiTokens:bedrockToken",
+                    "type": "SECRETS_MANAGER"
+                  }
+                ],
+                "runOrder": 1
+              }
+
@@ -212 +285 @@ The security groups for the VPC. This field is needed when your commands need to
-The key in a key-value environment variable pair, such as `Name`.
+The key in a key-value environment variable pair, such as `BEDROCK_TOKEN`.
@@ -217 +290,39 @@ The key in a key-value environment variable pair, such as `Name`.
-The value for the key-value pair, such as `Production`. The value can be parameterized with output variables from pipeline actions or pipeline variables.
+The value for the key-value pair, such as `apiTokens:bedrockToken`. The value can be parameterized with output variables from pipeline actions or pipeline variables.
+
+When using the `SECRETS_MANAGER` type, this value must be the name of a secret you have already stored in AWS Secrets Manager.
+
+**Type**
+    
+
+Specifies the type of use for the environment variable value. The value can be either `PLAINTEXT` or `SECRETS_MANAGER`. If the value is `SECRETS_MANAGER`, provide the Secrets reference in the `EnvironmentVariable` value. When not specified, this defaults to `PLAINTEXT`.
+
+###### Note
+
+We strongly discourage the use of _plaintext_ environment variables to store sensitive values, especially AWS credentials. When you use the CodeBuild console or AWS CLI, _plaintext_ environment variables are displayed in plain text. For sensitive values, we recommend that you use the `SECRETS_MANAGER` type instead.
+
+###### Note
+
+When you enter the `name`, `value`, and `type` for your environment variables configuration, especially if the environment variable contains CodePipeline output variable syntax, do not exceed the 1000-character limit for the configuration’s value field. A validation error is returned when this limit is exceeded.
+
+For an example action declaration showing an environment variable, see Configuration parameters.
+
+###### Note
+
+  * The `SECRETS_MANAGER` type is only supported for the Commands action.
+
+  * Secrets referenced in the Commands action will be redacted in the build logs similar to CodeBuild. But pipeline users who have **Edit** access to the pipeline can still potentially access these secret values by modifying the commands.
+
+  * To use the SecretsManager, you must add the following permissions to your pipeline service role:
+    
+        {
+                "Effect": "Allow",
+                "Action": [
+                    "secretsmanager:GetSecretValue"
+                ],
+                "Resource": [
+                    "SECRET_ARN"
+                ]
+            }
+
+
+