Programatically retrieve NuGet API Key (#29)

Author: gordonpn

buildspecs/buildspec.canary.yml

@@ -17,8 +17,5 @@ phases:
       - timeout 15 sh -c "until docker info; do echo .; sleep 1; done"
   build:
     commands:
-      # install the latest patch version of 3.1
-      - curl -sSL https://dot.net/v1/dotnet-install.sh | bash /dev/stdin -c 3.1
-      - dotnet --version
-      - dotnet nuget --version
+      - ./scripts/install-dotnet.sh
       - ./scripts/deploy-canary.sh

buildspecs/buildspec.release.yml

@@ -4,16 +4,14 @@ env:
   variables:
     AWS_REGION: us-west-2
   parameter-store:
-    NUGET_API_KEY: NuGetAPIKey
+    ROLE_ARN: NugetCrossAccountArn
+    SECRET_ARN: SecretArnNuget
 phases:
   install:
     runtime-versions:
       dotnet: 3.1
   build:
     commands:
-      # install the latest patch version of 3.1
-      - curl -sSL https://dot.net/v1/dotnet-install.sh | bash /dev/stdin -c 3.1
-      - dotnet --version
-      - dotnet nuget --version
+      - ./scripts/install-dotnet.sh
       - dotnet restore
       - ./scripts/publish-package.sh

buildspecs/buildspec.yml

@@ -17,10 +17,7 @@ phases:
       - timeout 15 sh -c "until docker info; do echo .; sleep 1; done"
   build:
     commands:
-      # install the latest patch version of 3.1
-      - curl -sSL https://dot.net/v1/dotnet-install.sh | bash /dev/stdin -c 3.1
-      - dotnet --version
-      - dotnet nuget --version
+      - ./scripts/install-dotnet.sh
       - pwd && ./scripts/start-agent.sh
       - dotnet restore
       - dotnet build

scripts/install-dotnet.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+# print command before they are executed without expanding variables
+set -v
+
+# install the latest patch version of 3.1
+curl -sSL https://dot.net/v1/dotnet-install.sh | bash /dev/stdin -c 3.1
+dotnet --version
+dotnet nuget --version

scripts/publish-package.sh

@@ -1,14 +1,33 @@
 #!/usr/bin/env bash
-#
-# Run integration tests against a CW Agent.
-# 
-# usage:
-#   export AWS_ACCESS_KEY_ID=
-#   export AWS_SECRET_ACCESS_KEY=
-#   export AWS_REGION=us-west-2
-#   ./start-agent.sh
 
-source ./utils.sh
+scripts_dir=$(cd "$(dirname "${BASH_SOURCE[0]}")" &>/dev/null && pwd -P)
+source "$scripts_dir"/utils.sh
+
+NUGET_API_KEY=""
+
+function assume_role_and_get_key() {
+  ROLE_ARN=$1
+  OUTPUT_PROFILE="publishing-profile"
+  echo "Assuming role $ROLE_ARN"
+  sts=$(aws sts assume-role \
+    --role-arn "$ROLE_ARN" \
+    --role-session-name "$OUTPUT_PROFILE" \
+    --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' \
+    --output text)
+  check_exit
+  sts=($sts)
+  aws configure set aws_access_key_id "${sts[0]}" --profile "$OUTPUT_PROFILE"
+  aws configure set aws_secret_access_key "${sts[1]}" --profile "$OUTPUT_PROFILE"
+  aws configure set aws_session_token "${sts[2]}" --profile "$OUTPUT_PROFILE"
+  echo "Credentials stored in the profile named $OUTPUT_PROFILE"
+
+  NUGET_API_KEY=$(aws secretsmanager \
+    --profile "$OUTPUT_PROFILE" \
+    get-secret-value \
+    --secret-id "$SECRET_ARN" \
+    | jq '.SecretString | fromjson.Key' | tr -d '"')
+  check_exit
+}
 
 # publish <package-name>
 function publish() {
@@ -26,6 +45,8 @@ function publish() {
     popd
 }
 
+assume_role_and_get_key "$ROLE_ARN"
+
 validate "$NUGET_API_KEY" "NUGET_API_KEY"
 validate "$CODEBUILD_BUILD_NUMBER" "CODEBUILD_BUILD_NUMBER"
 

scripts/utils.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/env zsh
+#!/usr/bin/env bash
 
 function check_exit() {
     last_exit_code=$?