Drone starlark convert doesn't leave values in double quotes

def main(ctx):
    return {
          "kind": "pipeline",
          "name": "sample",
          "steps": [{
            "name": "sample",
            "image": "sample-plugin",
            "settings": {
              "aws_arn": "arn:aws:iam::${account}:role/some-role"


kind: pipeline
name: sample

  os: linux
  arch: amd64

- name: sample
  image: sample-plugin
    aws_arn: arn:aws:iam::${account}:role/some-role


but I need the aws arn to be wrapped double quotes (“arn:aws:iam::${account}:role/some-role”), otherwise the step doesn’t work.

I’ve tried

but drone starlark convert just returns the same value:

any help on how to get around this would be awesome.


The yaml in the above example is valid yaml, no quoting is required. The only issue I see is ${account} which needs to be escaped [1]. For example:

-   aws_arn: "arn:aws:iam::${account}:role/some-role"
+   aws_arn: "arn:aws:iam::$${account}:role/some-role"

Here is how the value is passed to the plugin if unescaped:

"PLUGIN_AWS_ARN": "arn:aws:iam:::role/some-role"

Here is how the value is passed to the plugin if escaped and unquoted:

"PLUGIN_AWS_ARN": "arn:aws:iam::${account}:role/some-role"

Here is how the value is passed to the plugin if escaped and quoted:

"PLUGIN_AWS_ARN": "arn:aws:iam::${account}:role/some-role"

Notice that quoted vs unquoted does not make a difference. The values are both unmarshaled into a Go string at which point they are identical.

[1] https://docker-runner.docs.drone.io/configuration/environment/overview/#common-problems

Hm alright, that makes sense. I had tried earlier with escaping the env variable, but that didn’t work.

So I’m thinking this isn’t an issue with drone, but rather with how the plugin is parsing the env variables:

func Load() Config {
	config := Config{}
	if err := envconfig.Process("PLUGIN", &config); err != nil {
	return config

It doesn’t error on load, but I get the common AWS error “ValidationError: Request ARN is invalid” when the value isn’t wrapped in quotes :sweat_smile:

Thanks for your help, I’ll create an issue for the plugin.

one other thing that jumps out is the environment variable in your ARN


generally speaking, plugins do not automatically expand environment variables like this. Expanding variables is a shell script feature, but most plugins are written in Go and treat strings as literal values. This means the plugin will use the literal string value arn:aws:iam::${account}:role/some-role and will not replace ${account}.