Working with secrets - Amazon CodeCatalyst

Working with secrets

There may be times when you need to use sensitive data, such as authentication credentials, in your workflows. Storing these values in plaintext anywhere in your repository should be avoided because anyone with access to the repository which contains the secret can see them. Similarly, these values shouldn't be used directly in any workflow definitions because they will be visible as files in your repository. With CodeCatalyst, you can protect these values by adding a secret to your project, and then referencing the secret in your workflow definition file. In order to create, edit, or delete a secret, you must have the Project administrator role.

Note

Secrets can only be used to replace passwords and sensitive information in the workflow definition file.

Creating a secret

Use the following procedure to create a secret. The secret contains the sensitive information that you want to hide from view.

Note

Secrets are visible to actions and are not masked when written to a file.

To create a secret
  1. Open the CodeCatalyst console at https://codecatalyst.aws/.

  2. In the navigation pane, choose CI/CD, and then choose Secrets.

  3. Choose Create secret.

  4. Enter the following information:

    Name

    Enter a name for your secret.

    Value

    Enter the value for the secret. This is the sensitive information that you want to hide from view. By default, the value is not displayed. To display the value, choose Show value.

    Description

    (Optional) Enter a description for your secret.

  5. Choose Create.

Editing a secret

Use the following procedure to edit a secret.

To edit a secret
  1. Open the CodeCatalyst console at https://codecatalyst.aws/.

  2. In the navigation pane, choose CI/CD, and then choose Secrets.

  3. In the secrets list, choose the secret that you want to edit.

  4. Choose Edit.

  5. Edit the following properties:

    Value

    Enter the value for the secret. This is the value that you want to hide from view. By default, the value is not displayed.

    Description

    (Optional) Enter a description for your secret.

  6. Choose Save.

Using a secret

To use a secret in a workflow action, you must obtain the reference identifier of the secret and use that identifier in the workflow action.

Obtaining the identifier of a secret

Use the following procedure to obtain the reference identifier of the secret. You'll add this identifier to your workflow.

To obtain the reference identifier of the secret
  1. Open the CodeCatalyst console at https://codecatalyst.aws/.

  2. In the navigation pane, choose CI/CD, and then choose Secrets.

  3. In the list of secrets, find the secret that you want to use.

  4. In the Reference ID column, copy the identifier of the secret. The following is the syntax for the Reference ID:

    ${Secrets.<name>}

Referencing a secret in a workflow

Use the following procedure to reference a secret in a workflow.

To reference a secret
  1. In the navigation pane, choose CI/CD, and then choose Workflows.

  2. Choose the name of your workflow. You can filter by the source repository or branch name where the workflow is defined, or filter by workflow name.

  3. Choose Edit.

  4. Choose YAML.

  5. Modify the YAML to use the identifier of the secret. For example, to use a user name and password that are stored as secrets with the curl command, you would use a Run command similar to the following:

    - Run: curl -u <username-secret-identifier>:<password-secret-identifier> https://example.com
  6. (Optional) Choose Validate to validate the workflow's YAML code before committing.

  7. Choose Commit, enter a commit message, and choose Commit again.

Deleting a secret

Use the following procedure to delete a secret and the secret reference identifier.

Note

Before deleting a secret, we recommend that you remove the secret's reference identifier from all workflow actions. If you delete the secret without deleting the reference identifier, the action will fail the next time it runs.

To delete a secret's reference identifier from a workflow
  1. Open the CodeCatalyst console at https://codecatalyst.aws/.

  2. In the navigation pane, choose CI/CD, and then choose Workflows.

  3. Choose the name of your workflow. You can filter by the source repository or branch name where the workflow is defined, or filter by workflow name.

  4. Choose Edit.

  5. Choose YAML.

  6. Search the workflow for the following string:

    ${Secrets.

    This finds all reference identifiers of all secrets.

  7. Delete the reference identifier of the chosen secret, or replace it with a plaintext value.

  8. (Optional) Choose Validate to validate the workflow's YAML code before committing.

  9. Choose Commit, enter a commit message, and choose Commit again.

To delete a secret
  1. Open the CodeCatalyst console at https://codecatalyst.aws/.

  2. In the navigation pane, choose CI/CD, and then choose Secrets.

  3. In the secrets list, choose the secret you want to delete.

  4. Choose Delete.

  5. Enter delete to confirm the deletion.

  6. Choose Delete.