If you’re experiencing issues with your AWS services, then please refer to the AWS Health Dashboard. You can find the overall status of ongoing outages, the health of AWS services, and the latest updates from AWS engineers.
How to securely access a secret like GITHUB_TOKEN inside testspec.yml in AWS Device Farm?
Hi,
I’m currently working with AWS Device Farm to execute automated tests and I’d like to ask for guidance regarding a specific need related to handling secrets within the test execution environment.
Scenario: In my particular use case, I need access to a GitHub token (GITHUB_TOKEN) from within the testspec.yml file, which is executed as part of a custom test environment in Device Farm.
This token is required to authenticate with GitHub during the test process (e.g., to clone private repositories, access releases, or interact with the GitHub API).
Key requirements:
- The GITHUB_TOKEN should be treated as a secret, and therefore must not be exposed as a downloadable file or appear in plaintext within Device Farm artifacts.
- For security and best practices, I do not want to hardcode this token in any file within the test or extraData package, nor expose it through environment variables that may be included in the resulting artifacts.
- The goal is to keep the token completely outside of Device Farm’s environment, except at the exact moment of usage within testspec.yml.
Approaches considered:
- I have explored using environmentVariables via the ScheduleRunCommand, but these variables do not seem to be accessible within the testspec.yml execution context.
- I also considered generating a temporary file (e.g., JSON containing secrets) and including it via extraDataPackageArn, but this file ends up being downloadable as an artifact — which poses a security risk.
- Additionally, Device Farm does not appear to allow access to AWS services such as SSM Parameter Store or Secrets Manager from within the testspec.yml environment, so querying secrets directly during test execution also seems unfeasible.
Question: Is there any officially supported and secure way to inject secrets like GITHUB_TOKEN into the Device Farm execution environment such that:
- The value is available as an environment variable inside testspec.yml,
- It is not exposed or downloadable as an artifact,
- It follows AWS security best practices (i.e., no hardcoding, no plaintext credential exposure, no long-term storage inside the execution environment)?
Any guidance, workarounds, or clarification from the AWS team would be greatly appreciated.
Thank you in advance for your time and support.
Kind regards, David Álvarez
- Topics
- Front-End Web & Mobile
- Tags
- AWS Device Farm
- Language
- English
- Newest
- Most votes
- Most comments
To answer your question, there is no out-of-the box experience to inject your credentials at the test host level.
Here are the some options which you can try.
- Use S3 Presigned URL: Pass an S3 presigned URL of a text file containing the GITHUB_TOKEN, with a short expiry time greater than the overall test execution time. During the test execution, you can call this S3 pre-signed URL to fetch the GITHUB_TOKEN at run.
- Device Farm VPC ENI Feature To use networking-based restrictions to access any AWS Services, you can execute the Device Farm job using the Device Farm VPC ENI feature. This feature creates an elastic network interface in your provided VPC configuration. You can then create private VPC endpoints for AWS services, such as Secrets Manager, AWS Lambda, or S3 buckets, and access your actual credentials using these VPC endpoints. This way, even if your scoped-down credentials or presigned URL are exposed, the network restrictions will prevent access to your actual credentials. Please note that the Device Farm VPC ENI feature is only available for Device Farm private devices. For more details related to private device refer to [1].
[1] https://docs.aws.amazon.com/devicefarm/latest/developerguide/working-with-private-devices.html
Relevant content
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 4 years ago
