Order of Plugins execution when listed with plugin seek-oss/aws-sm#v2.2.1

[Sachin155]

I have configured the steps where plugins listed in order

  - cultureamp/aws-assume-role#v0.1.0:
      role: "arn:aws:iam::1111111111111:role/buildkite-roles"
  - seek-oss/aws-sm#v2.2.1:
      env:
        GITHUB_TOKEN:
          secret-id: "buildkite-secret"
          json-key: ".github_token"

According to the documentation the plugins order of execution is based on the hooks defind here

Since the plugin cultureamp/aws-assume-role#v0.1.0 hook does not have a definition for environment, the secrets-manager's plugin hooks run before the aws-assume-role plugin's hook. due to which the pipeline job fails since agent underlying role does not access to secrets-manager.

Any suggestions would help.

[ishaqsharief318]

@Sachin155 - Tried the same thing and it looks like the aws-sm plugin is evaluated during the running environment hook stage as per this comment ( scroll all the way to the end ).

I'd be interested in knowing how you solved this issue

[jt-shippit]

Hi, We are starting to play with seek-oss/aws-sm and found this issue. I haven't tested it yet, but I wonder if a possible workaround would be to use the assume-role plugin to start a new sub-pipeline using the command buildkite-agent pipeline upload