Drone

Drone AWS Lambda deploy supports secrets?

Hi,

I have been using Drone as CI/CD, running on AWS EC2 instances(hosted in ap-south-1) attached with IAM roles (roles includes all required IAM permissions for activities performed by Drone). Am using Drone AWS Lambda deploy plugin to deploy the lambda function code from S3 bucket.

Both S3 bucket and lambda function are in same region(ap-south-1), but the problem is when pipeline trying to deploy the package, it through s aws region issue mentioned below. i have check the link of this plugin, where written that aws_default_region secret can be passed to override the profile’s default region. I pass secret to lambda deploy plugin using both names aws_region as well as aws_default_region, but no luck so far same issue was coming.

Please let me know if secrets are supported by this plugin or if we can pass on the aws region in plugin definition via parameter which does not mentioned in the plugin docs. Find the below details:

  1. Error thrown by aws lambda deploy plugin:
    AuthorizationHeaderMalformed. S3 Error Message: The authorization header is malformed; the region ‘us-east-1’ is wrong; expecting ‘ap-south-1’

  2. Drone pipeline configuration:

  • first i have created secrets like aws _region and aws_default_region = ap-south-1
  • drone.yml
    deploylambda:
    image: omerxx/drone-lambda-plugin
    function_name: drone
    s3_bucket: my-sandeep-state
    file_name: cargill-${DRONE_BUILD_NUMBER}.zip
    secrets: [ AWS_DEFAULT_REGION ] as well as with .secrets: [ AWS_REGION ]

Secrets are case sensitive, i mean secret is created in small letters and we can define them in secrets: [ in both small and capital letters]? and these will be exposed to pipeline containers in CAPS.

Please let me if am doing it in wrong way.

Thx,
Sandeep

Please see http://docs.drone.io/secrets-not-working/ and if you are still having difficulty please provide all 4 items requested here http://docs.drone.io/secrets-not-working/#still-having-trouble

Also we would need to see your plugin source code to make sure it is looking for the correct variables. Please provide a link to the code in your reply as well.

Hi, I am trying to use the drone aws-lambda plugin.

The docs contain this section:

Secret Reference

It is highly recommended to make use of IAM roles instead of environment variables for AWS (Considering you are running Drone on AWS)

aws_access_key_id
AWS access key
aws_secret_access_key
AWS secret key. Access and secret key variables override credentials stored in config > files
aws_default_region
AWS region. This variable overrides the default region of the in-use profile, if set

If these are not set, the plugin will use the instance IAM role [ Recommended method ]

However, even with these variables set aws_default_region, aws_access_key_id and aws_secret_access_key, the plugin does not work.

I get the following error:

NoCredentialProviders: no valid providers in chain. Deprecated.
For verbose messaging see aws.Config.CredentialsChainVerboseErrors 

Any ideas on this?

I also tried setting:

AWS_ACCESS_KEY_ID
AWS_REGION
AWS_SECRET_ACCESS_KEY

That didn’t work either.

Then I tried setting AWS_SDK_LOAD_CONFIG to 0. No luck there, either.

one thing I notice is this particular plugin’s documentation is using the old 0.8 yaml format. Many plugins are third party and the authors may not have updated the documentation yet. I presume you are using Drone 1.0 and not 0.8. Here is a guide that shows how 0.8 and 1.0 syntax differ and how you can supply secrets to plugin parameters in 1.0

https://docs.drone.io/user-guide/pipeline/migrating/#plugins
https://docs.drone.io/user-guide/pipeline/migrating/#secrets

Adding the following to my plugin step fixed the issue:

environment:
      AWS_ACCESS_KEY_ID:
        from_secret: AWS_ACCESS_KEY_ID
      AWS_SECRET_ACCESS_KEY:
        from_secret: AWS_SECRET_ACCESS_KEY