Introduction

Building and deploying software applications in the cloud can be a complex process, especially when it comes to managing sensitive data and configuration settings. In the context of AWS CodeBuild, environment variables play a crucial role in securely passing this information to your build processes.

In this blog post, we will explore how to effectively pass environment variables to AWS CodeBuild BuildSpecs. We will start by understanding what BuildSpecs are and why environment variables are important in this context. We will then dive into the process of defining environment variables within the BuildSpec file and referencing them in your build commands.

Additionally, we will explore the integration between AWS CodeBuild, AWS Parameter Store and AWS Secrets Manager, which enables you to securely retrieve sensitive data during the build process. By the end of this post, you will have a clear understanding of how to leverage environment variables to manage secure configuration settings and sensitive data in your AWS CodeBuild projects.

So, let’s get started and learn how to pass environment variables to AWS CodeBuild BuildSpecs effectively!

What is AWS CodeBuild?

AWS CodeBuild is a fully managed build service provided by Amazon Web Services (AWS) that simplifies the process of building, testing, and deploying applications in the cloud. It eliminates the need for managing infrastructure by automatically scaling and provisioning computing resources based on the requirements of your code. CodeBuild supports various programming languages, build tools, and frameworks, allowing you to build and test your applications efficiently. It integrates seamlessly with other AWS services, making it easier to incorporate continuous integration and delivery workflows into your development process. With CodeBuild, you can automate your build processes, ensure consistent build environments, and accelerate the delivery of your applications.

What is a BuildSpec?

A BuildSpec is a YAML file used to configure and guide AWS CodeBuild projects. The BuildSpec file provides a structured and readable format for defining your build pipeline. It allows you to specify the order of build phases, such as source, build, and post-build actions. Within each phase, you can define commands to be executed, environment variables to be set, and additional settings for build artifacts and notifications.

By using BuildSpec, you can easily define and manage your build process in a declarative manner. This provides consistency across different builds and ensures that the process is repeatable and predictable.

Now that we understand what BuildSpecs are, let’s explore the importance of environment variables in the context of AWS CodeBuild and how to effectively define and use them in your projects.

Why Use Environment Variables?

Environment variables are commonly used to store sensitive data or configuration settings that are required during the build process but should not be hard-coded in the BuildSpec. By utilizing environment variables, you can separate the configuration from the code, making it easier to manage and maintain.

Defining Environment Variables in BuildSpec

To pass environment variables to your AWS CodeBuild project, you need to define them in the BuildSpec file. Here’s an example:

version: 0.2

env:
  variables:
    MY_VARIABLE: "my-value"

In this example, we define a single environment variable MY_VARIABLE with the value "my-value". You can add more variables by including additional key-value pairs under the variables section.

Referencing Environment Variables

Once you have defined the environment variables in your BuildSpec, you can reference them in your build commands using the following syntax:


version: 0.2

phases:
  build:
    commands:
      - echo $MY_VARIABLE

In this example, we use the echo command to output the value of the MY_VARIABLE environment variable. Note the use of the `$` sign to reference the variable.

Using AWS Parameter Store

AWS Parameter Store is a managed service that helps you store and manage configuration data, secrets, and other types of sensitive information. It allows you to securely store sensitive data such as database connection strings, API keys, and passwords. AWS CodeBuild can integrate with Parameter Store to retrieve these values as environment variables during the build process.

To use AWS Parameter Store, you need to perform the following steps:

  1. Store the sensitive data in Parameter Store: In the AWS Management Console or through the AWS CLI, you can store your sensitive data in Parameter Store as key-value pairs. For example, you can store a database connection string as a parameter with the key /myapp/database/connectionstring and its corresponding value.
  2. Grant appropriate permissions: Ensure that the IAM role associated with your CodeBuild project has the necessary permissions to retrieve the parameter values from Parameter Store.
  3. Define the environment variable in your BuildSpec: In your BuildSpec file, you can reference the parameter using the store option under the env section. Here’s an example:
version: 0.2

env:
  parameter-store:
    DB_CONNECTION_STRING: /myapp/database/connectionstring

In this example, we define an environment variable DB_CONNECTION_STRING and specify its path in Parameter Store. AWS CodeBuild will retrieve the value associated with the specified path and make it available as an environment variable during the build process.

  1. Reference the environment variable in your build commands: Once you have defined the environment variable, you can reference it in your build commands using the $ sign. Here’s an example:
version: 0.2

phases:
  build:
    commands:
      - echo $DB_CONNECTION_STRING

In this example, we use the echo command to output the value of the DB_CONNECTION_STRING environment variable. CodeBuild will substitute the variable with the actual value retrieved from Parameter Store.

Using AWS Parameter Store provides an additional layer of security for managing sensitive information in AWS CodeBuild. It allows you to store and retrieve encrypted values without exposing them directly in your BuildSpec file.

Using AWS Secrets Manager

AWS Secrets Manager is a fully managed service that enables you to securely store and retrieve secrets, such as API keys, database credentials, and encryption keys. AWS CodeBuild integrates with Secrets Manager, allowing you to securely retrieve sensitive information during the build process.

To use AWS Secrets Manager in your CodeBuild project, you need to perform the following steps:

  1. Store the secret in Secrets Manager: Using the AWS Management Console or the AWS CLI, you can store your sensitive data as secrets in Secrets Manager. For example, you can store a database password as a secret with the name my-database-password and its corresponding value.
  2. Grant appropriate permissions: Make sure that the IAM role associated with your CodeBuild project has the necessary permissions to retrieve the secret value from Secrets Manager.
  3. Define the environment variable in your BuildSpec: In your BuildSpec file, you can reference the secret using the secrets-manager option under the env section. Here’s an example:
version: 0.2

env:
  secrets-manager:
    DB_PASSWORD: my-database-password

In this example, we define an environment variable DB_PASSWORD and specify the name of the secret stored in Secrets Manager. AWS CodeBuild will automatically retrieve the secret value associated with my-database-password and make it available as an environment variable during the build process.

  1. Reference the environment variable in your build commands: Once you have defined the environment variable, you can reference it in your build commands using the $ sign. Here’s an example:
version: 0.2

phases:
  build:
    commands:
      - echo $DB_PASSWORD

In this example, we use the echo command to output the value of the DB_PASSWORD environment variable. CodeBuild will substitute the variable with the actual secret value retrieved from Secrets Manager.

Using AWS Secrets Manager ensures that sensitive information remains secure and is only accessible to authorized entities during the build process. It allows you to centralize and manage secrets in a secure manner, reducing the risk of exposing sensitive data.

Exporting CodeBuild Environment Variables

In addition to defining and referencing environment variables within the BuildSpec file, you can also export them as outputs of your CodeBuild project. This allows you to pass the values of these variables to other AWS resources or subsequent build stages.

To export an environment variable in CodeBuild, you need to specify the exported-variables attribute under the env section in your BuildSpec file. Here’s an example:

version: 0.2

env:
  variables:
    MY_VARIABLE: "my-value"
  exported-variables:
    - MY_VARIABLE

In this example, we define the MY_VARIABLE environment variable and specify it as an exported variable. This means that the value of MY_VARIABLE will be available to other AWS resources or build stages.

To use the exported variable in subsequent build stages or AWS resources, you can reference it using the CODEBUILD_ prefix followed by the name of the variable. For example, to reference the exported MY_VARIABLE, you would use CODEBUILD_MY_VARIABLE.

Exporting CodeBuild environment variables allows you to share values between different parts of your build pipeline or pass them to other resources for further processing. This flexibility enables you to create more complex and dynamic build processes tailored to your specific requirements.

Environment variables from Parameter Store and Secrets Manager cannot be exported.

Conclusion

In conclusion, environment variables are essential in AWS CodeBuild for securely passing sensitive information and configuration settings to your build processes. By defining and referencing environment variables in the BuildSpec file, you can separate the configuration from the code, making it easier to manage. Integration with AWS Secrets Manager and AWS Parameter Store adds an additional layer of security for managing sensitive information. Exporting environment variables allows you to share values with other AWS resources or build stages, enabling more flexible and dynamic pipelines. By leveraging these best practices, you can improve security, streamline your build processes, and accelerate application delivery in the cloud.