Migrate sonatype username to secrets manager, allowing for migration …

…to tokens for auth. (aws#5297) * Migrate sonatype username to secrets manager, allowing for migration to tokens for auth. * Fix typo in release-to-maven buildspec.
akidambisrinivasan · Jun 28, 2024 · e044833 · e044833
1 parent 9c6d436
commit e044833
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/buildspecs/release-to-maven.yml b/buildspecs/release-to-maven.yml
@@ -15,20 +15,23 @@ phases:
       - SDK_SIGNING_GPG_KEYNAME_ARN="arn:aws:secretsmanager:us-east-1:103431983078:secret:sdk-signing-gpg-keyname-wFsOOg"
       - SDK_SIGNING_GPG_PASSPHRASE_ARN="arn:aws:secretsmanager:us-east-1:103431983078:secret:sdk-signing-gpg-passphrase-A0H1Kq"
       - SONATYPE_PASSWORD_ARN="arn:aws:secretsmanager:us-east-1:103431983078:secret:sonatype-password-I2V6Y0"
+      - SONATYPE_USERNAME_ARN="arn:aws:secretsmanager:us-east-1:103431983078:secret:sonatype-username-HphNZQ"
 
   build:
     commands:
       - RELEASE_VERSION=`mvn -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive exec:exec`
       - SONATYPE_URL="https://aws.oss.sonatype.org/service/local/repositories/releases/content/software/amazon/awssdk/aws-sdk-java/$RELEASE_VERSION/"
       - |
         if ! curl -f --head $SONATYPE_URL; then
+          SONATYPE_USERNAME=`aws secretsmanager get-secret-value --secret-id $SONATYPE_USERNAME_ARN --query SecretString --output text`
           SONATYPE_PASSWORD=`aws secretsmanager get-secret-value --secret-id $SONATYPE_PASSWORD_ARN --query SecretString --output text`
           SDK_SIGNING_GPG_KEYNAME=`aws secretsmanager get-secret-value --secret-id $SDK_SIGNING_GPG_KEYNAME_ARN --query SecretString --output text`
           SDK_SIGNING_GPG_PASSPHRASE=`aws secretsmanager get-secret-value --secret-id $SDK_SIGNING_GPG_PASSPHRASE_ARN --query SecretString --output text`
           aws secretsmanager get-secret-value --secret-id  $SDK_SIGNING_GPG_SECRING_ARN --query SecretBinary --output text | base64 -d > $SDK_SIGNING_GPG_SECRING
           gpg --passphrase $SDK_SIGNING_GPG_PASSPHRASE --batch --import $SDK_SIGNING_GPG_SECRING
 
           cat $SETTINGS_XML_TEMPLATE | \
+            awk 'BEGIN { var=ENVIRON["SONATYPE_USERNAME"] } { gsub("\\$SONATYPE_USERNAME", var, $0); print }' | \
             awk 'BEGIN { var=ENVIRON["SONATYPE_PASSWORD"] } { gsub("\\$SONATYPE_PASSWORD", var, $0); print }' | \
             awk 'BEGIN { var=ENVIRON["SDK_SIGNING_GPG_PASSPHRASE"] } { gsub("\\$SDK_SIGNING_GPG_PASSPHRASE", var, $0); print }' | \
             awk 'BEGIN { var=ENVIRON["SDK_SIGNING_GPG_KEYNAME"] } { gsub("\\$SDK_SIGNING_GPG_KEYNAME", var, $0); print }' > \

diff --git a/buildspecs/resources/release-settings.xml b/buildspecs/resources/release-settings.xml
@@ -2,7 +2,7 @@
     <servers>
         <server>
             <id>sonatype-nexus-staging</id>
-            <username>amazonwebservices</username>
+            <username>$SONATYPE_USERNAME</username>
             <password>$SONATYPE_PASSWORD</password>
         </server>
     </servers>