Vault Secrets

The enterprise edition supports loading secrets from vault. Note that vault credentials must be globally configured by an administrator. Vault secrets are declared in your yaml configuration file and loaded at runtime.

Usage

Example configuration with vault secrets, passing them to the pipeline by name:

pipeline:
  build:
    image: golang
    commands:
      - go test
      - go build
  publish:
    image: plugins/docker
    repo: octocat/app
+   secrets: [ docker_username, docker_password ]

+secrets:
+  docker_username:
+    path: secret/docker_username
+  docker_password:
+    path: secret/docker_password

Add secrets to any valid path in vault using the vault command line utility:

vault write secret/docker_username value=...
vault write secret/docker_password value=...

Then include the secrets paths in your pipeline configuration:

secrets:
  docker_username:
    path: secret/docker_username
  docker_password:
    path: secret/docker_password

Alternate Names

In some cases the secret names in your vault instance may not match the names expected by the secrets. The secret names can be mapped to the correct values:

pipeline:
  build:
    image: golang
    commands:
      - go test
      - go build
  publish:
    image: plugins/docker
    repo: octocat/app
    secrets:
+     - source: username
+       target: docker_username
+     - source: password
+       target: docker_password

secrets:
- docker_username:
+ username:
    path: secret/docker_username
- docker_password:
+ password:
    path: secret/docker_password

Restricting Repos

You can restrict access to vault secrets based on repository name using the repo attribute. This is a comma-separated list with glob support.

vault write secret/password value=<value> repo=octocat/spoon-knife,octocat/hello-world
vault write secret/password value=<value> repo=octocat/hello-world
vault write secret/password value=<value> repo=octocat/*

Restricting Events

You can restrict access to vault secrets based on hook event using the event attribute. This may be a string or comma-separated list:

vault write secret/password value=<value> event=push
vault write secret/password value=<value> event=push,tag
vault write secret/password value=<value> event=push,pull_request

Restricting Images

You can restrict access to vault secrets to specific docker images using the image attribute. This may be a string or comma-separated list:

vault write secret/password value=<value> image=plugins/docker
vault write secret/password value=<value> image=plugins/ecr,plugins/s3

Questions?

We are always happy to help with questions you might have. Search our documentation or check out answers to common questions. You can also post questions or comments to our community forum.

Is there a mistake on this page? Please let us know or edit this page.