Ajinkya aws codebuild prevention #123
Conversation
| ``` | ||
|
|
||
| 3. **Create a Python script to get project details:** | ||
| Use the `batch_get_projects` method to get details of the projects. Here's a sample script: |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| pip install boto3 | ||
| ``` | ||
| Then, configure your AWS credentials. You can do this by setting the following environment variables: | ||
| ``` |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
|
|
||
| ```python | ||
| projects = codebuild.list_projects()['projects'] | ||
| ``` |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
|
|
||
| ```python | ||
| import boto3 | ||
| session = boto3.Session( |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
|
|
||
| response = codebuild.list_projects() | ||
|
|
||
| projects = response['projects'] |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
|
|
||
| ```python | ||
| import boto3 | ||
|
|
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
|
|
||
| By following these steps, you can prevent the use of plaintext AWS credentials in environment variables for your CodeBuild projects. | ||
| </Accordion> | ||
|
|
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
|
|
||
| 4. **Use AWS Secrets Manager or Parameter Store for Sensitive Data:** | ||
| If you need to use sensitive data, store it in AWS Secrets Manager or AWS Systems Manager Parameter Store and reference it in your buildspec file. | ||
|
|
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| Enable CloudWatch Logs and AWS Config to monitor and log any changes or access to your CodeBuild projects and secrets. | ||
|
|
||
| ```sh | ||
| aws logs create-log-group --log-group-name /aws/codebuild/MyProject |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| if 'auth' in source: | ||
| auth = source['auth'] | ||
| if auth['type'] == 'OAUTH' and 'resource' in auth: | ||
| print(f"Sign-in credentials found in source repository URL: {auth['resource']}") |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
|
|
||
| 2. **Use AWS Secrets Manager for Storing Credentials**: | ||
| Store your Bitbucket credentials in AWS Secrets Manager instead of hardcoding them in your source repository URL. | ||
|
|
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| ```python | ||
| import boto3 | ||
|
|
||
| session = boto3.Session( |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| ``` | ||
|
|
||
| 3. **Get project details:** | ||
| For each project, use the `batch_get_projects` method to get the project details. This will include information about the build configuration, including whether CodeDeploy is enabled. Here is a sample script: |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| pip install boto3 | ||
| ``` | ||
| Then, configure your AWS credentials. You can do this by setting the following environment variables: | ||
| ``` |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| response = client.list_projects() | ||
|
|
||
| for project in response['projects']: | ||
| project_details = client.batch_get_projects(names=[project]) |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| ```python | ||
| import boto3 | ||
|
|
||
| session = boto3.Session( |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| projects = codebuild.list_projects()['projects'] | ||
| for project in projects: | ||
| project_details = codebuild.batch_get_projects(names=[project])['projects'][0] | ||
| project_region = project_details['arn'].split(':')[3] |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
| 2. Create a session using your AWS credentials. Replace 'aws_access_key_id', 'aws_secret_access_key', and 'aws_session_token' with your actual AWS credentials. | ||
|
|
||
| ```python | ||
| session = boto3.Session( |
There was a problem hiding this comment.
Secret: Secret Keyword
Click here for more details
No description provided.