This lab is currently in Beta, content may be updated as we refine the material
LABINTERMEDIATE

Pipeline Secrets and Approvals

Inject Secrets Manager secrets into a CodeBuild stage and add manual approval gates with SNS notifications, then verify that secrets remain masked throughout the entire pipeline lifecycle.

50 minutes
aws/devops
Pipeline Secrets and Approvals - Platform Engineering Hands-On Lab Icon

Lab Overview

In this lab you will build a complete CodePipeline that securely injects a Secrets Manager secret into a CodeBuild stage and enforces a manual approval gate backed by SNS notifications.

You will:

  • Create a Secrets Manager secret storing a simulated API key
  • Create an SNS topic for approval notifications
  • Create least-privilege IAM roles for CodeBuild and CodePipeline with scoped secrets access
  • Author a buildspec that references the secret via the secrets-manager env section
  • Build a four-stage pipeline: Source (S3) → Build (CodeBuild with secret) → Manual Approval (SNS) → Deploy (S3)
  • Trigger the pipeline and inspect build logs to confirm the secret value is masked
  • Exercise the approval gate by approving and rejecting pipeline executions
  • Verify that secrets do not leak into CloudWatch logs, pipeline execution history, or artifact outputs

Region: `us-east-1`. All resources are tagged `lab=true,Course=dop-c02`.

What You'll Learn

Create a Secrets Manager secret and reference it in a CodeBuild buildspec via the secrets-manager env section

Create an SNS topic and wire it into a CodePipeline manual approval action

Build a least-privilege CodeBuild service role scoped to the specific secret ARN

Assemble a four-stage CodePipeline (Source, Build, Approval, Deploy) from the AWS CLI

Observe that Secrets Manager values are automatically masked in CodeBuild and CloudWatch logs

Exercise manual approval gates by approving and rejecting pipeline executions

Prerequisites

basic-aws-cli-familiarity

aws-associate-level-knowledge

completed-aws-devops-cli-operations-baseline-lab

Technologies Covered

awscodepipelinecodebuildsecrets-managersnscicdapprovalsdop-c02

Part of a Course

This lab is part of the AWS Certified DevOps Engineer - Professional (DOP-C02) course

View All Courses

Choose your plan

Simple, Transparent Pricing

Unlock full access to TeKanAid courses, labs, and bootcamps

MonthlyQuarterly

Pro

Course content without labs

$59/month

Renews automatically. Cancel anytime.

Final price verified at checkout.

  • Full access to all courses
  • Progress tracking
  • Certificate of completion
  • Community access
  • Bootcamp participation
  • New content access
Recommended

Premium

Full access with hands-on labs

$99/month

Renews automatically. Cancel anytime.

Final price verified at checkout.

  • Everything in Pro
  • Unlimited hands-on labs
  • Lab AI Assistant
  • Accelerator bootcamps with live office hours
  • Priority support
Get Access Now

Prefer a single course?

Purchase individual courses for a one-time fee of $79. Full access to course content, quizzes, certificates, and community features, lab access is not included.

Browse Courses

Try it free, no credit card

Three free ways to start. All bridge into the paid Premium catalog when you're ready.

▶ Start with free courses and labs🧩 Solve your first free puzzle📧 Get the free 7-day crash course

Not ready to commit? The crash course is email-only. No academy account required.

Ready to Get Started?

Start this hands-on lab and build real-world Platform Engineering skills

Get Access Now