https://github.com/hasura/smooth-secrets-buildkite-plugin
A buildkite plugin to setup ssh keys and env secrets for your pipelines :butter: :lock:
https://github.com/hasura/smooth-secrets-buildkite-plugin
aws-secrets-manager buildkite buildkite-plugin secrets
Last synced: 6 months ago
JSON representation
A buildkite plugin to setup ssh keys and env secrets for your pipelines :butter: :lock:
- Host: GitHub
- URL: https://github.com/hasura/smooth-secrets-buildkite-plugin
- Owner: hasura
- License: apache-2.0
- Created: 2021-08-11T12:20:41.000Z (about 4 years ago)
- Default Branch: main
- Last Pushed: 2023-07-18T12:15:11.000Z (about 2 years ago)
- Last Synced: 2024-04-14T11:05:21.059Z (over 1 year ago)
- Topics: aws-secrets-manager, buildkite, buildkite-plugin, secrets
- Language: Shell
- Homepage:
- Size: 26.4 KB
- Stars: 11
- Watchers: 4
- Forks: 3
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# smooth-secrets-buildkite-plugin
A buildkite plugin to setup ssh keys and env secrets for your pipelines :butter: :lock:
## Usage
#### Exporting secrets to environment
```yml
steps:
- command: echo "\$SECRET_NAME" > secret.txt
plugins:
- hasura/smooth-secrets#v1.3.0:
secrets:
- strategy: aws-secrets-manager
region: us-east-2
key: secret/env
name: SECRET_NAME
type: env
```
#### Creating a file with the secret contents
```yml
steps:
- command: cd "$(dirname "${FILE_PATH_ENV}")" && cat "${FILE_NAME_ENV}"
plugins:
- hasura/smooth-secrets#v1.3.0:
secrets:
- strategy: aws-secrets-manager
region: us-east-2
key: secret/id
type: file
file_path_env: FILE_PATH_ENV
file_name_env: FILE_NAME_ENV
```
The path at which the file is created will be exported to the environment with the name given in `file_path_env` field. Likewise, the file name will be exported with the name given in `file_name_env`. For example, here, `FILE_PATH_ENV` var will be set to the file path and `FILE_NAME_ENV` will be set to the filename.
#### Adding an SSH key to `ssh-agent`
```yml
steps:
- command: ssh-add -l
plugins:
- hasura/smooth-secrets#v1.3.0:
secrets:
- strategy: aws-secrets-manager
region: us-east-2
key: secret/id
type: ssh
```
- smooth-secret expects the private SSH key to be stored as base64 value in the secrets manager. Use `cat | base64 -w 0` to get the base64 value.
- The private SSH key is stored in this directory: `/etc/buildkite-agent/buildkite-secrets/${BUILDKITE_BUILD_ID}/${BUILDKITE_JOB_ID}`. The filename is the `key` field value with any `/` replaced with `-`.
- The keys are added to a newly created `ssh-agent`, which is killed at the end of the job in `pre-exit` hook.
- The secrets directory is also removed in the `pre-exit` hook.
#### Exporting base64 decoded secrets to environment
If the secret is stored as base64 encoded value in the secret storage, then smooth-secret can automatically decode and populate such secrets via the `encoding` field.
```yml
steps:
- command: ssh-add -l
plugins:
- hasura/smooth-secrets#v1.3.0:
secrets:
- strategy: aws-secrets-manager
region: us-east-2
key: secret/env
name: SECRET_NAME
type: env
encoding: base64
```
## Configuration
### `secrets` (array)
- #### `strategy` (required, string)
Supported value: `aws-secrets-manager`
- #### `key` (required, string)
Secret id to refer to the secret in the secret storage.
- #### `type` (required, string)
Supported value: `ssh`, `env`, `file`
- ssh will add the secret value as a private ssh key to the ssh-agent.
- env will export the env for usage in the build.
- file will create a file with the secret value as contents
- #### `name` (string)
The name with which `env` type secrets will be exported.
Only required when the secret type is `env`.
- #### `region` (required, string)
Region value for aws
- #### `encoding` (optional, string)
Supported value: `base64`