https://github.com/nuuday/drone-azure-key-vault

https://github.com/nuuday/drone-azure-key-vault

Last synced: 4 months ago
JSON representation

• Host: GitHub
• URL: https://github.com/nuuday/drone-azure-key-vault
• Owner: nuuday
• License: other
• Created: 2020-06-30T11:11:35.000Z (almost 5 years ago)
• Default Branch: master
• Last Pushed: 2020-06-30T12:50:15.000Z (almost 5 years ago)
• Last Synced: 2023-03-03T19:33:51.549Z (over 2 years ago)
• Language: Go
• Size: 10.7 KB
• Stars: 0
• Watchers: 2
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE.md

Awesome Lists containing this project

README

        
A secret extension to A secret extension that provides optional support for sourcing secrets from Azure Key Vault. _Please note this project requires Drone server version 1.4 or higher._

## Installation

Create a shared secret:

```console

$ openssl rand -hex 16

bea26a2221fd8090ea38720fc445eca6

```

Download and run the plugin:

```

$ docker run -d \

  --publish=3000:3000 \

  --env=DRONE_DEBUG=true \

  --env=DRONE_SECRET=bea26a2221fd8090ea38720fc445eca6 \

  --env=AZURE_TENANT_ID=$AZURE_TENANT_ID \

  --env=AZURE_CLIENT_ID=$AZURE_CLIENT_ID \

  --env=AZURE_CLIENT_SECRET=$AZURE_CLIENT_SECRET \

  --restart=always \

  --name=secrets /drone-azure-key-vault

```

Update your runner configuration to include the plugin address and the shared secret.

```text

DRONE_SECRET_PLUGIN_ENDPOINT=http://1.2.3.4:3000

DRONE_SECRET_PLUGIN_TOKEN=bea26a2221fd8090ea38720fc445eca6

```

## Azure Key Vault

[Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/) is a

tool for securely storing and accessing secrets. The Azure Key Vault extension

provides your pipeline with access to Azure Key Vault secrets.

### Required Azure environment variables

- `AZURE_TENANT_ID`: Specifies the Tenant to which to authenticate.

- `AZURE_CLIENT_ID`: Specifies the app client ID to use.

- `AZURE_CLIENT_SECRET`: Specifies the app secret to use.

The app client specified in the environment variables needs to have `READ` access

to the Key Vaults which are going to be accessed in the pipelines.

### Creating secrets

Use the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli)

to create secrets in the Key Vault.

In the below example we store the Docker username and password.

```

$ az keyvault secret set --vault-name vault-dev --name docker-username --value user

$ az keyvault secret set --vault-name vault-dev --name docker-password --value pass

```

### Accessing the secrets

Once the secrets are stored in Azure key vault, we can update the yaml

configuration to use those secrets.

To access them, first we need to define a secret resource for each external

secret:

```

---

kind: secret

name: docker-username

get:

  path: vault-dev

  name: docker-username

---

kind: secret

name: docker-password

get:

  path: vault-dev

  name: docker-password

```

The `path` to the secret is the `Azure Key Vault` name, and `name` is the

secret name we want to fetch from the Key Vault.

Referencing them in the yaml configuration:

```

kind: pipeline

name: default

steps:

- name: build

  image: alpine

  environment:

    DOCKER_USERNAME:

      from_secret: docker-username

    DOCKER_PASSWORD:

      from_secret: docker-password

---

kind: secret

name: docker-username

get:

  path: vault-dev

  name: docker-username

---

kind: secret

name: docker-password

get:

  path: vault-dev

  name: docker-password

...

```

### Limiting access

Secrets are available to all repositories and all build events by default.

Limiting the access works in the same way as for the other Drone external secrets

plugin. More details can be found [here](https://docs.drone.io/secret/external/vault/#limiting-access).

**Note**: The access is limited at a Vault level currently.

Example: Limiting the Key Vault secrets to be used in a single repository

```

$ az keyvault secret set --vault-name vault-dev --name x-drone-repos --value octocat/hello-world

```