https://github.com/avaly/gcp-secret-manager-buildkite-plugin

A Buidkite plugin to read secrets from GCP Secret Manager into environment variables
https://github.com/avaly/gcp-secret-manager-buildkite-plugin

buildkite-plugin google-cloud google-cloud-platform google-secret-manager

Last synced: 9 days ago
JSON representation

A Buidkite plugin to read secrets from GCP Secret Manager into environment variables

• Host: GitHub
• URL: https://github.com/avaly/gcp-secret-manager-buildkite-plugin
• Owner: avaly
• License: mit
• Created: 2020-12-21T17:42:06.000Z (over 4 years ago)
• Default Branch: master
• Last Pushed: 2025-06-06T12:29:41.000Z (about 1 month ago)
• Last Synced: 2025-06-06T12:40:33.047Z (about 1 month ago)
• Topics: buildkite-plugin, google-cloud, google-cloud-platform, google-secret-manager
• Language: Shell
• Homepage:
• Size: 12.7 KB
• Stars: 9
• Watchers: 2
• Forks: 10
• Open Issues: 4
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# GCP Secret Manager Buildkite Plugin

[![GitHub Release](https://img.shields.io/github/release/avaly/gcp-secret-manager-buildkite-plugin.svg)](https://github.com/avaly/gcp-secret-manager-buildkite-plugin/releases) [![Build status](https://badge.buildkite.com/2d6dda24352064bc947c7affb868734d615bafeecb22102007.svg?branch=master)]()

A [Buildkite plugin](https://buildkite.com/docs/agent/v3/plugins) to read secrets from [GCP Secret Manager](https://cloud.google.com/secret-manager).

This plugin requires either a Google Cloud credentials file or application default credentials to be available on your

Buildkite Agent machines.

Other preinstalled requirements:

- [`gcloud`](https://cloud.google.com/sdk/)

## Example

Add the following to your `pipeline.yml`:

```yml

steps:

  - command: 'echo \$SECRET_VAR'

    plugins:

      - avaly/gcp-secret-manager#v1.4.0:

          credentials_file: /etc/gcloud-credentials.json

          env:

            SECRET_VAR: my-secret-name

            OTHER_SECRET_VAR: my-other-secret-name

```

## Configuration

### `credentials_file` (optional, string)

The file path of a Google Cloud [credentials file][1] which is used to access the secrets. If not specified, the

[application default credential][2] will be searched for and used if available.  The account credential must have the

Secret Accessor role for the secret being accessed (`roles/secretmanager.secretAccessor`).

### `env` (object)

An object defining the export variables names and the secret names which will populate the values.

The secret names can be expressed:

- using only the secret name: `{secret-name}`

- using a fully qualified name: `projects/{project-id-or-number}/secrets/{secret-name}/versions/{version}` (if the `/versions/{version}` is not included, the `latest` version will be used)

## Developing

To run the tests:

```shell

docker-compose run --rm shellcheck

docker-compose run --rm tests

```

## Contributing

1. Fork the repo

2. Make the changes

3. Run the tests

4. Commit and push your changes

5. Send a pull request

[1]: https://developers.google.com/workspace/guides/create-credentials#create_credentials_for_a_service_account

[2]: https://cloud.google.com/docs/authentication/application-default-credentials