Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

CodeBuild fails to resolve HTTPS URL from Secrets Manager and ingest it before starting the DOWNLOAD_SOURCE phase

0

My existing CodeBuild pipeline is configured to run on GitHub Push and PullRequest events. All resources run inside a VPC and must use an outbound HTTP proxy. The proxy URL (including username and password) is stored in AWS Secrets Manager. In the current setup, the Pipeline successfully retrieves the secret (used as https_proxy) and can download the GitHub source code without issues.

I am now adding support for triggering the pipeline based on GitHub Release events. To accomplish this, I created a separate "helper" CodeBuild Project, which is invoked every time a new GitHub Release is published. This helper project is triggered correctly, and the build starts as expected.

However, the proxy URL secret is causing a problem: When I configure the HTTPS proxy env variable using type SECRETS_MANAGER, the build fails to download the GitHub source. The build logs show the following error:

[Container] 2026/03/31 09:50:13.404649 Running on CodeBuild On-demand
[Container] 2026/03/31 09:50:13.404714 Waiting for agent ping
[Container] 2026/03/31 09:50:13.806672 Waiting for DOWNLOAD_SOURCE
Get "https://github.com/MY-ORG/MY-REPO.git/info/refs?service=git-upload-pack": proxyconnect tcp: dial tcp :0: connect: connection refused for primary source and source version test-tag-v0.0.7

If I instead provide the HTTPS proxy URL (https_proxy) as a PLAINTEXT environment variable, the build works and CodeBuild can download the source code successfully. For testing, I also added another env variable HTTPS_PROXY_HOST of type SECRETS_MANAGER within the same configuration. That variable is resolved correctly (the CloudFormation resource definition is included below).

My question:

Is this expected behavior for CodeBuild when using SECRETS_MANAGER environment variables for proxy configuration? Or is there a configuration issue in my setup?

Any guidance or clarification would be greatly appreciated.

  CodeBuildReleaseTrigger:
    Type: AWS::CodeBuild::Project
    Properties:
      Artifacts:
        Type: NO_ARTIFACTS
      Environment:
        EnvironmentVariables:
# This secret value can not be resolved before the DOWNLOAD_SOURCE phase
#          - Name: https_proxy
#            Type: SECRETS_MANAGER
#            Value: "MyAppSecrets:HTTPS_PROXY_URL::"
          - Name: https_proxy
            Value:
              'Fn::Sub':
                - 'http://{{resolve:secretsmanager:${Arn}:SecretString:username:AWSCURRENT:}}:{{resolve:secretsmanager:${Arn}:SecretString:password:AWSCURRENT:}}@${URI}:8080'
                - URI: !GetAtt [ Proxy, URI ]
                  Arn: !GetAtt [ ProxyCredentials, Arn ]
          - Name: HTTPS_PROXY_HOST
            Type: SECRETS_MANAGER
            Value: "MyAppSecrets:HTTPS_PROXY_HOST::"
          - Name: no_proxy
            Value: 'amazonaws.com'
          - Name: PIPELINE_NAME
            Value: !Sub 'myapp-build-pipeline-${ParamGithubMainBranch}'
        ComputeType: BUILD_GENERAL1_SMALL
        Type: ARM_CONTAINER
        Image: 'aws/codebuild/amazonlinux2-aarch64-standard:3.0'
      Name: !Sub 'myapp-release-trigger-${ParamGithubMainBranch}'
      ServiceRole: !GetAtt [ CodeBuildExecutionRole, Arn ]
      Triggers:
        Webhook: true
        BuildType: BUILD
        FilterGroups:
          - - Type: EVENT
              Pattern: RELEASED
      Source:
        Auth:
          Type: CODECONNECTIONS
          Resource: !Ref ParamGithubConnection
        BuildSpec: |
          version: 0.2
          phases:
            install:
              commands:
                - echo "no_proxy=$no_proxy"
                - echo "PIPELINE_NAME=$PIPELINE_NAME"
                - echo "HTTPS_PROXY_HOST=$HTTPS_PROXY_HOST"
            build:
              commands:
                - echo "CODEBUILD_WEBHOOK_TRIGGER=$CODEBUILD_WEBHOOK_TRIGGER"
                - echo "CODEBUILD_SOURCE_VERSION=$CODEBUILD_SOURCE_VERSION"
                - aws codepipeline start-pipeline-execution --name "$PIPELINE_NAME"
        Type: GITHUB
        GitCloneDepth: 1
        Location: !Sub 'https://github.com/MY-ORG/MY-REPO.git'
      VpcConfig:
        SecurityGroupIds: [ !Ref BuildSecurityGroup ]
        Subnets: !GetAtt [ SharedVpc, Subnets ]
        VpcId: !GetAtt [ SharedVpc, VpcId ]
Topics
Developer ToolsSecurity, Identity, & Compliance
Tags
AWS Secrets ManagerAWS CodeConnectionsAWS CodeBuild
Language
English
asked 2 months ago58 views
2 Answers
4
Accepted Answer

As far as I understand the issue, the previous answer regarding IAM permissions is a good first step, but it likely doesn't address the root cause here. This is a known architectural limitation in AWS CodeBuild when operating inside a VPC with a mandatory proxy.

The Problem: Lifecycle Timing

The issue is the sequence of events during the CodeBuild provisioning process:

  • Container Provisioning: CodeBuild starts the executor.
  • Environment Initialization: This is where the agent attempts to set up the network.
  • DOWNLOAD_SOURCE Phase: The agent attempts to clone the repository from GitHub.
  • Secret Resolution: CodeBuild resolves environment variables of type SECRETS_MANAGER.

When you define https_proxy as type SECRETS_MANAGER, the value is often not resolved and injected into the shell environment early enough for the git client to use it during the DOWNLOAD_SOURCE phase. Because the build is in a VPC and requires a proxy to reach GitHub, the git clone fails before the agent has even "fetched" the secret value from the Secrets Manager service.

Why PLAINTEXT and Dynamic References work

  • PLAINTEXT: The value is available immediately upon container start.
  • CloudFormation Dynamic References ({{resolve:secretsmanager:...}}): These are resolved by CloudFormation at deployment time. The actual string is passed to the CodeBuild Project configuration as a static value. Therefore, the agent knows the proxy credentials the moment it initializes, allowing the source download to succeed.

Your current workaround using CloudFormation Dynamic References is actually the standard industry fix for this specific "bootstrap" problem as far as I know.

Keep in mind:

  • Rotation: If you use Dynamic References, CodeBuild will not see an updated password if the secret is rotated in Secrets Manager until you re-deploy the CloudFormation stack.
  • Security: While this is more secure than hardcoding, the resolved secret will be visible in the CodeBuild console's "Environment" tab unless you take extra precautions.

see also:

Alternative: If you need to handle rotation without re-deploying, the only other way is to move the source download out of the DOWNLOAD_SOURCE phase (by using NO_SOURCE and manually performing a git clone in the PRE_BUILD phase after manually fetching the secret via AWS CLI), but this is significantly more complex and loses the native Webhook integration.

EXPERT
answered 2 months ago
EXPERT
reviewed 2 months ago
  • NBIS
    2 months ago

    Thank you very much for your comprehensive explanation.

1

Sounds like the CodeBuild role doesnt have IAM permissions to get Secret or Decrypt Secret. You can use Cloudtrail to look for Error messages which would point to the issue. If you compare existing to your new one, check IAM Permissions and KMS Key used by the Secret as the CFN Template doesnt uncover that part of your solution

EXPERT
answered 2 months ago
EXPERT
reviewed 2 months ago
  • NBIS
    2 months ago

    Thank you for your comment

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content