CircleCI Field Guide
GitHub Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Introduction
  2. /
  3. Credential Management
  4. /
  5. Connect CircleCI with AWS Secrets Manager using OIDC
Edit page

Connect CircleCI with AWS Secrets Manager using OIDC

This will guide you through using AWS Secrets Manager in conjunction with CircleCI’s OIDC feature to securely retrieve a secret like an API token and use it safely

Use Cases

For customers who want a secure, single source of truth for their secrets, AWS Secrets Manager can be beneficial by providing easier mechanisms to store, retrieve and rotate secrets.

IAM roles can be very narrowly scoped which reduces the blast radius if any secrets are leaked.

In this example, a token for the CircleCI API is stored in Secrets Manager, which is retrieved during a job.

Prerequisites

  • A secret/key/token saved in AWS Secrets Manager. Make a note of the arn associated with that secret.
  • OIDC set up as per this guide
    • Suggestion: Ensure the IAM role is narrowly scoped to allow only read-access on that particular secret

The IAM Role

Here is an example role that will allow access to a specific secret arn:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetResourcePolicy",
                "secretsmanager:GetSecretValue",
                "secretsmanager:DescribeSecret",
                "secretsmanager:ListSecretVersionIds"
            ],
            "Resource": "arn:aws:secretsmanager:eu-west-1:account-id-12345:secret:circleci-api"
        }
    ]
}

Once the role has been created, make a note of the arn.

The Config

Once the secret has been saved to AWS Secrets Manager, both arn’s for the secret and IAM role can be added as an environment variables:

jobs:
  retrieve-secret-and-verify:
    environment:
      AWS_REGION: eu-west-1
      AWS_ROLE_ARN: "arn:aws:iam::483285841698:role/secrets-mananger-oidc"
      AWS_SECRET_ARN: "arn:aws:secretsmanager:eu-west-1:account-id-12345:secret:circleci-api"

The AWS CLI can be used to retrieve a secret stored in Secrets Manager:

The secret will be printed to the step output if you do not handle the secret correctly, like storing it as a variable or in a context
CIRCLE_API_TOKEN=$(aws secretsmanager get-secret-value --secret-id $AWS_SECRET_ARN \
  --query SecretString \
  --output text | jq -r '."circleci-api-token"')

Full Config 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

version: 2.1

orbs:
  # import CircleCI's aws-cli orb
  aws-cli: circleci/aws-cli@4.0.0

jobs:
  retrieve-secret-and-verify:
    environment:
      AWS_REGION: eu-west-1
      AWS_ROLE_ARN: "arn:aws:iam::483285841698:role/secrets-mananger-oidc"
      AWS_SECRET_ARN: "arn:aws:secretsmanager:eu-west-1:account-id-12345:secret:circleci-api"
    docker:
      - image: cimg/aws:2022.06
    steps:
      - checkout
      # run the aws-cli/setup command from the orb
      - aws-cli/setup:
          role_arn: $AWS_ROLE_ARN
          region: AWS_REGION
      # Get the CircleCI API token from Secrets Manager and verify using the CircleCI API
      - run:
          name: Get my secret and call the API
          command: |
            # Beware, output will not be masked if you just output as text
            CIRCLE_API_TOKEN=$(aws secretsmanager get-secret-value --secret-id $AWS_SECRET_ARN \
              --query SecretString \
              --output text | jq -r '."circleci-api-token"')
            # Verify me
            curl -s https://circleci.com/api/v2/me -H "Circle-Token: $CIRCLE_API_TOKEN"            

workflows:
  OIDC-with-AWS:
    jobs:
      - retrieve-secret-and-verify:
          # job must use a valid CircleCI context
          context: aws