Last active
April 25, 2019 21:56
-
-
Save tlwr/c1f8f6849a12e388581012d38f188e4c to your computer and use it in GitHub Desktop.
Hijackable pipeline for adding secrets to Concourse
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| resource_types: | |
| - name: meta | |
| type: docker-image | |
| source: | |
| repository: swce/metadata-resource | |
| resources: | |
| - name: job-metadata | |
| type: meta | |
| jobs: | |
| - name: run-me-and-then-hijack | |
| serial: true | |
| plan: | |
| - get: job-metadata | |
| - task: hijack-me | |
| config: | |
| platform: linux | |
| image_resource: | |
| type: docker-image | |
| source: | |
| repository: governmentpaas/awscli | |
| params: | |
| CONCOURSE_NAME: concourse | |
| TEAM_NAME: main | |
| KMS_KEY_ID: fill-me-in | |
| SECRETS_PATH_PREFIX: fill-me-in | |
| REGION: fill-me-in | |
| inputs: | |
| - name: job-metadata | |
| run: | |
| path: sh | |
| args: | |
| - -uec | |
| - | | |
| cat <<HELP | |
| Ensure you are logged in with the following command: | |
| $ fly --target "$CONCOURSE_NAME" login --team-name "$TEAM_NAME" --concourse-url "$(cat job-metadata/atc-external-url)" -b | |
| --- | |
| You can use fly to set some secrets manually. Run the following fly command: | |
| $ fly --target "$CONCOURSE_NAME" hijack --job "$(cat job-metadata/build-pipeline-name)/$(cat job-metadata/build-job-name)" sh | |
| Select the hijack-me task, then you can run: | |
| $ aws ssm put-parameter \\ | |
| --name "$SECRETS_PATH_PREFIX/my_secret_name" \\ | |
| --value "my-secret-value" \\ | |
| --type SecureString \\ | |
| --key-id "$KMS_KEY_ID" \\ | |
| --overwrite \\ | |
| --region $REGION | |
| This secret will be available in all your pipelines using the syntax: ((my_secret_name)) | |
| --- | |
| You can make a secret available in only a single pipeline using: | |
| $ aws ssm put-parameter \\ | |
| --name "$SECRETS_PATH_PREFIX/pipeline-name-change-me/my_secret_name" \\ | |
| --value "my-secret-value" \\ | |
| --type SecureString \\ | |
| --key-id "$KMS_KEY_ID" \\ | |
| --overwrite \\ | |
| --region $REGION | |
| --- | |
| If you happen to be creating large chunks of data as a secret (RSA for instance), you may find it that the TTY behaves strangely. For instance, replaces random characters in your blob (I know, HOW WOULD YOU KNOW!?) with arbitrary different characters... | |
| It is possible to exec your desired command directly on the box without _really_ hijacking a container. | |
| fly --target "$CONCOURSE_NAME" hijack --job "$(cat job-metadata/build-pipeline-name)/$(cat job-metadata/build-job-name)" -- aws ssm put-parameter # ... | |
| --- | |
| Fly can only hijack containers that are running or have recently run | |
| If you are experiencing problems try running this job again. | |
| --- | |
| Sleeping for a while so you can hijack this job | |
| HELP | |
| sleep 60 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment