Multi-Attribute Secrets

rchui · October 7, 2021, 11:02pm

We want our Drone runners to be able to perform actions across AWS accounts. In order to do so, we must assume an AWS IAM role that consists of an AWS access key id, an AWS secret access key, and an AWS session token. A single assume role request passes back all three pieces and all three pieces must be used together in order to assume a role.

A custom Drone secret extension can be used to call the AWS IAM API to assume the desired role but we’re having trouble getting the credentials back because the secret consists of multiple attributes and there is no functionality to reference a part of a secret.

Are there any recommendations about how we should go about doing this?

bradrydzewski · October 7, 2021, 11:16pm

Secrets are injected into pipeline steps as environment variables. So instead of using a secrets extension you could use an environment extension [1], which is just slightly lower level. The environment extension can return multiple environment variables, which would support the described use case (access key id, access key secret, and session token).

[1] https://docs.drone.io/extensions/environment/

rchui · October 7, 2021, 11:48pm

That is very interesting . If I’m interpreting the documentation correctly it sounds like a request is made to the environment extension once per pipeline?

bradrydzewski · October 8, 2021, 3:45am

yes, that is correct