Hello!
I have some variables in ** AWS Systems Manager Parameter Store** and I need to use them in different Projects from different Spaces. What would be the optimal way to achieve this?
Thank you very much!
Nicolás
Thanks for your question!
We don’t have a built-in way to retrieve variables from an AWS parameter store. However, similarly to where I wrote a community step template to integrate with the AWS Secrets Manager here, I believe your best bet here would be to write a custom step template to achieve this.
Looking at a walkthrough guide on Amazon’s website to create a SecureString parameter here, it looks like you can utilize the AWS Tools for PowerShell to retrieve a AWS Parameter like so:
$domainNameValue = (Get-SSMParameterValue -Name domainName).Parameters[0].Value
By creating a step template you can parameterize the query, with support for multiple parameters to be retrieved and any other functionality you desire.
Once you have the value(s) you are after, the step template would then create an octopus output variable for each value using the Set-OctopusVariable functionality, an example is below:
Set-OctopusVariable -name "TestResult" -value "Passed"
If the values are sensitive then you’d alter the above example to include the -sensitive switch, e.g.:
Set-OctopusVariable -name "Password" -value "correct horse battery staple" -sensitive
Given that you want something that works across spaces, I’d recommend considering contributing to our community library if you do go down the route of a step template. This would allow each space to access the library and take advantage of any updates independently. You can still achieve the same by having a custom step template, but you would lose the ability to update them all from our central library.
I hope that helps!
Best,
1 Like
thank you very much @mark.harrison! that was really helpful. I wasn’t aware of the community step template to integrate with the AWS Secrets Manager. We might use that one instead. If not, we will probably build our own template and publish it to the community library as suggested.
Best regards,
Nicolás
Hi @mark.harrison I hope you had a lovely weekend.
Quick question, I was testing the AWS Secrets Manager template and I can’t find a way to give a scope to the secret that I’m retrieving. I have the following secrets:
Dev Secret:
{
"api-key" : "api-key-from-dev",
"app-key" : "app-key-from-dev"
}
Prd Secret:
{
"api-key" : "api-key-from-prd",
"app-key" : "app-key-from-prd"
}
How would you do it for example if you wanted that the following variable:
#{Octopus.Action[AWS Secrets Manager - Retrieve Secrets].Output.api-key}
gets the api-key-from-dev value when deploying to Development, and the api-key-from-prd when deploying to Production?
any advice would be appreciated.
Regards!
Nicolás
Thanks for your question.
In what AWS context is the Dev secret vs the Prd secret different? e.g. are they in separate AWS accounts or some other AWS context boundary?
The answer to that will help get the most appropriate response for you!
Best,
Both secrets are stored in the same AWS Account, with no context boundaries.
Thanks!
Cheers
Based on the information you’ve given me, I am assuming, therefore, that Dev Secret and Prd secret are two separate secrets in AWS, e.g.:
If you had two secrets with identical secret keys like so:
If you wanted Octopus to be able to pick this up automatically, the simplest option would be to scope the name of the secret to a project variable with a value for each environment e.g.:
Then in the step itself, use the project variable to denote the secret name:
In the example above, the secret keys are specified along with the output variable name desired. Although this might look like duplication (specifying the same secret twice), the way the step template works out an output variable name is designed to avoid overwriting an output variable wherever possible. It’s for this reason that you need to specify the secret key name and variable name for each secret key on a new line.
Then when running the deployment in development, you should see the Dev-secret name being used in the task logs, and the desired variable name is created:
There are alternatives to this, for example, storing the environment-based secret keys in a single secret, but this isn’t something I’d recommend as you can’t rotate the values independently, which is usually a requirement of most organizations.
I hope this helps, but please let me know if you have any further queries!
Best,
Awesome! That’s really helpful. Thank you @mark.harrison for the quick and clear response!
Best,
Nicolás
Hey @nicolas.spencer
You’re welcome!
Just an FYI, during my testing for your question, I noticed some improvements I could make to the step template, specifically around reducing the number of calls to AWS and writing a warning if the same variable gets created.
I hope to get a change raised today, have a great rest of your day!
Thanks, Mark
Hey @nicolas.spencer
Just a courtesy message to let you know that version 3 of the AWS Secrets manager step template is available now.
Your Octopus instance will usually sync changes every few hours, but you can sync it manually from the Configuration → Features menu:
Best,
No worries!