From 922adb09448c6b622ed3dcb5ee56dc6f1d61b703 Mon Sep 17 00:00:00 2001 From: Rico Huijbers Date: Thu, 12 Dec 2024 12:06:31 +0100 Subject: [PATCH] fix: NuGet job can't write to SSM when using secret role When the NuGet publishing script assumes a role to retrieve the API key secret, it pollutes the global environment variables with the role credentials. When we then later try to write to SSM, it uses the wrong role (the secret role instead of the CodeBuild role). Retrieve the secret credentials in a subshell so they don't interfere with the CodeBuild credentials. --- lib/publishing/nuget/publish.sh | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/lib/publishing/nuget/publish.sh b/lib/publishing/nuget/publish.sh index f1590b01..58ef8b19 100644 --- a/lib/publishing/nuget/publish.sh +++ b/lib/publishing/nuget/publish.sh @@ -57,16 +57,22 @@ fi echo "Publishing NuGet packages..." -if [ -n "${NUGET_ROLE_ARN:-}" ]; then - ROLE=$(aws sts assume-role --region "${NUGET_SECRET_REGION:-}" --role-arn "${NUGET_ROLE_ARN:-}" --role-session-name "buildable_nuget_publish") - export AWS_ACCESS_KEY_ID=$(echo $ROLE | jq -r .Credentials.AccessKeyId) - export AWS_SECRET_ACCESS_KEY=$(echo $ROLE | jq -r .Credentials.SecretAccessKey) - export AWS_SESSION_TOKEN=$(echo $ROLE | jq -r .Credentials.SessionToken) -fi +( + # Assume a role, just for the purposes of retrieving the secret and nothing else. + # Run in a subshell so the changed environment variables in here don't interfere with the ones + # of the parent shell. + if [ -n "${NUGET_ROLE_ARN:-}" ]; then + ROLE=$(aws sts assume-role --region "${NUGET_SECRET_REGION:-}" --role-arn "${NUGET_ROLE_ARN:-}" --role-session-name "buildable_nuget_publish") + export AWS_ACCESS_KEY_ID=$(echo $ROLE | jq -r .Credentials.AccessKeyId) + export AWS_SECRET_ACCESS_KEY=$(echo $ROLE | jq -r .Credentials.SecretAccessKey) + export AWS_SESSION_TOKEN=$(echo $ROLE | jq -r .Credentials.SessionToken) + fi + aws secretsmanager get-secret-value --region "${NUGET_SECRET_REGION:-}" --secret-id "${NUGET_SECRET_ID:-}" | jq -r .SecretString | jq -r .NugetApiKey > /tmp/key.txt +) +NUGET_API_KEY=$(cat /tmp/key.txt) NUGET_SOURCE="https://api.nuget.org/v3/index.json" NUGET_SYMBOL_SOURCE="https://nuget.smbsrc.net/" -NUGET_API_KEY=$(aws secretsmanager get-secret-value --region "${NUGET_SECRET_REGION:-}" --secret-id "${NUGET_SECRET_ID:-}" | jq -r .SecretString | jq -r .NugetApiKey) log=$(mktemp -d)/log.txt