Vault
Updated 2 years ago
by
Admin
Vault secures, stores, and tightly controls access to tokens, passwords, certificates, keys, and other secrets in modern computing. The Vault extension provides your pipeline with access to Vault secrets.
Creating Secrets
Use the Vault command line tools to write secrets to the store. In the below example we store the Docker username and password.
1 $ vault kv put secret/docker \
2 username=octocat \
3 password=correct-horse-battery-staple
Accessing Secrets
Once our secrets are stored in Vault, we can update our yaml configuration file to request access to our secrets. First we define a secret resource in our yaml for each external secret. We include the path to the secret, and the name or key of value we want to retrieve:
1 ---
2 kind: pipeline
3 name: default
4
5 steps:
6 - name: build
7 image: alpine
8
9 ---
10 kind: secret
11 name: username
12 get:
13 path: secrets/data/docker
14 name: username
15
16 ---
17 kind: secret
18 name: password
19 get:
20 path: secrets/data/docker
21 name: password
22 ...
We can then reference the named secrets in our pipeline:
1 kind: pipeline
2 name: default
3
4 steps:
5 - name: build
6 image: alpine
7 environment:
8 USERNAME:
9 from_secret: username
10 PASSWORD:
11 from_secret: password
12
13 ---
14 kind: secret
15 name: username
16 get:
17 path: secrets/data/docker
18 name: username
19
20 ---
21 kind: secret
22 name: password
23 get:
24 path: secrets/data/docker
25 name: password
26
27 ...
Limiting Access
Secrets are available to all repositories and all build events by default. We strongly recommend that you limit access to secrets by repository, build events and branch. This can be done by adding special properties:
1 $ vault kv put secret/docker \
2 username=octocat \
3 password=correct-horse-battery-staple \
4 x-drone-events=push,tag \
5 x-drone-repos=octocat/*,spaceghost/* \
6 x-drone-branches=master,development
Limit By Repository
Use the X-Drone-Repos key to limit which repositories can access your secret. The value is a comma-separate list of glob patterns. If a repository name matches at least one of the patterns, it is granted access to the secret.
Limit access to a single repository:
1 $ vault kv put secret/docker \
2 username=octocat \
3 password=correct-horse-battery-staple \
4 x-drone-repos=octocat/hello-world
Limit access to all repositories in an organization:
1 $ vault kv put secret/docker \
2 username=octocat \
3 password=correct-horse-battery-staple \
4 x-drone-repos=octocat/*
Limit access to multiple repositories or organizations:
1 $ vault kv put secret/docker \
2 username=octocat \
3 password=correct-horse-battery-staple \
4 x-drone-repos=octocat/*,spaceghost/*
Limit By Event
Use the X-Drone-Events key to limit which build events can access your secret. The value is a comma-separate list of events. If a build matches at least one of the events, it is granted access to the secret.
Limit access to push and tag events:
1 $ vault kv put secret/docker \
2 username=octocat \
3 password=correct-horse-battery-staple \
4 x-drone-events=push,tag
You can combine annotations to limit by repository and event:
1 $ vault kv put secret/docker \
2 username=octocat \
3 password=correct-horse-battery-staple \
4 x-drone-events=push,tag \
5 x-drone-repos=octocat/*,spaceghost/*
Limit By Branch
Use the X-Drone-Branches key to limit which branch can access your secret. The value is a comma-separate list of branches. If a build matches at least one of the branch, it is granted access to the secret.
Limit access to master and development branches:
1 $ vault kv put secret/docker \
2 username=octocat \
3 password=correct-horse-battery-staple \
4 x-drone-branches=master,development
You can combine annotations whatever you need to limit by repository, event and branches:
1 $ vault kv put secret/docker \
2 username=octocat \
3 password=correct-horse-battery-staple \
4 x-drone-events=push,tag \
5 x-drone-repos=octocat/*,spaceghost/* \
6 x-drone-branches=master,development
