Gitlab CI/CD error: script config should be a string or a nested array of strings up to 10 levels deep

GitLab CI/CD
,
1

Guys, simple ci/cd definition:

image: ansible:latest

.assume-role: &assume-role
  id_tokens:
    GITLAB_OIDC_TOKEN:
      aud: https://gitlab.com
  script:
    - >
      STS=($(aws sts assume-role-with-web-identity --role-arn ${AWS_ROLE_ARN_TEST}
      --role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"
      --web-identity-token ${GITLAB_OIDC_TOKEN} --duration-seconds 3600 --query
      'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' --output text))
    - export AWS_ACCESS_KEY_ID="${STS[0]}"
    - export AWS_SECRET_ACCESS_KEY="${STS[1]}"
    - export AWS_SESSION_TOKEN="${STS[2]}"
    - aws sts get-caller-identity

stages:
  - check_sec

check_sec:
  stage: check_sec
  variables:
    AWS_ROLE_ARN: $AWS_ROLE_ARN_TEST
    AWS_DEFAULT_REGION: $TEST_AWS_DEFAULT_REGION
  script:
    - *assume-role
    - echo "${GITLAB_OIDC_TOKEN}"
    - aws sts get-caller-identity
    - aws s3 ls
  only:
    - web
  tags:
    - environment_test

Throwing to me error:

script config should be a string or a nested array of strings up to 10 levels deep

Please let me know what’s wrong, I have checked syntax yaml using many yaml validators, but no luck, I have checked gitlab documentation, but seems all looks correct, maybe I’m tired and I don’t see relevant section within documentation.

I have checked syntax yaml using many yaml validators, but no luck, I have checked gitlab documentation, but seems all looks correct, and yes I saw this topic: https://forum.gitlab.com/t/how-to-fix-script-config-should-be-a-string-or-a-nested-array-of-strings-up-to-10-levels-deep/69843

Thanks

2

What you do is not supported, you are using YAML anchors to put the entire .assume-role job definition into script in the check_sec job. This is fine with YAML validators, but not a valid pipeline.

There are couple of ways to achieve your setup, but I prefer the extends keyword so I will use that. (I will also change couple of deprecated options with new ones).

default:
  image: ansible:latest

.assume-role:
  id_tokens:
    GITLAB_OIDC_TOKEN:
      aud: https://gitlab.com
  before_script:
    - >
      STS=($(aws sts assume-role-with-web-identity --role-arn ${AWS_ROLE_ARN_TEST}
      --role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"
      --web-identity-token ${GITLAB_OIDC_TOKEN} --duration-seconds 3600 --query
      'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]' --output text))
    - export AWS_ACCESS_KEY_ID="${STS[0]}"
    - export AWS_SECRET_ACCESS_KEY="${STS[1]}"
    - export AWS_SESSION_TOKEN="${STS[2]}"
    - aws sts get-caller-identity

stages:
  - check_sec

check_sec:
  extends: ['.assume-role']
  stage: check_sec
  variables:
    AWS_ROLE_ARN: $AWS_ROLE_ARN_TEST
    AWS_DEFAULT_REGION: $TEST_AWS_DEFAULT_REGION
  script:
    - echo "${GITLAB_OIDC_TOKEN}"
    - aws sts get-caller-identity
    - aws s3 ls
  rules:
    - if: $CI_COMMIT_BRANCH == "web"
  tags:
    - environment_test
1 Like
3

@balonik works perfect!
Thank you!

1 Like