Connect CircleCI with AWS Secrets Manager using OIDC
This will guide you through using AWS Secrets Manager in conjunction with CircleCI’s OIDC feature to securely retrieve a secret like an API token and use it safely
For customers who want a secure, single source of truth for their secrets, AWS Secrets Manager can be beneficial by providing easier mechanisms to store, retrieve and rotate secrets.
IAM roles can be very narrowly scoped which reduces the blast radius if any secrets are leaked.
In this example, a token for the CircleCI API is stored in Secrets Manager, which is retrieved during a job.
- A secret/key/token saved in AWS Secrets Manager. Make a note of the
arn
associated with that secret. - OIDC set up as per this guide
- Suggestion: Ensure the IAM role is narrowly scoped to allow only read-access on that particular secret
Here is an example role that will allow access to a specific secret arn
:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
],
"Resource": "arn:aws:secretsmanager:eu-west-1:account-id-12345:secret:circleci-api"
}
]
}
Once the role has been created, make a note of the arn
.
Once the secret has been saved to AWS Secrets Manager, both arn
’s for the secret and IAM role can be added as an environment variables:
jobs:
retrieve-secret-and-verify:
environment:
AWS_REGION: eu-west-1
AWS_ROLE_ARN: "arn:aws:iam::483285841698:role/secrets-mananger-oidc"
AWS_SECRET_ARN: "arn:aws:secretsmanager:eu-west-1:account-id-12345:secret:circleci-api"
The AWS CLI can be used to retrieve a secret stored in Secrets Manager:
The secret will be printed to the step output if you do not handle the secret correctly, like storing it as a variable or in a context
CIRCLE_API_TOKEN=$(aws secretsmanager get-secret-value --secret-id $AWS_SECRET_ARN \
--query SecretString \
--output text | jq -r '."circleci-api-token"')
|
|