cirrus-ci-docs icon indicating copy to clipboard operation
cirrus-ci-docs copied to clipboard

Published 20 hours ago • verified publisher icon cirruslabs

External secret management via HashiCorp Vault

Open fkorotkov opened this issue 2 years ago • 0 comments

Description

Introducing Cirrus CI's OIDC token in #1046 allows for deeper integration with many systems including Vault. Let's make Cirrus Agent be able to retrieve secrets directly from HashiCorp Vault (similar to how this GHA do it).

Let's make Cirrus Agent aware of CIRRUS_VAULT_URL and CIRRUS_VAULT_ROLE environment variables. In case such variables present, the agent will try to decrypt variables formatted like VAULT[...].

The resulting configuration will look like:

env:
  CIRRUS_VAULT_URL: https://vault.mycompany.com:8200
  CIRRUS_VAULT_ROLE: <Vault JWT Auth Role Name>

task:
  env:
    AWS_ACCESS_KEY_ID: VAULT[secret/data/ci/aws accessKey]
    AWS_SECRET_ACCESS_KEY: VAULT[secret/data/ci/aws secretKey]

fkorotkov avatar Oct 10 '22 21:10 fkorotkov