A simple buildkite plugin to map a Vault secret to a Step environment variable
vault
and jq
are expected to be installed on your Buildkite worker.
Add the following to your pipeline.yml
:
steps:
- command: "<your-command>"
plugins:
- elastic/vault-secrets#v0.0.3:
path: "secret/ci/elastic-<repo-name>/<secret-name>"
field: "<secret-field-name>" # OPTIONAL
env_var: "<environment-variable-mapping-secret>" # OPTIONAL
path_depth: "2" # OPTIONAL
field
specifies the exact Vault secret field to retrieve.field
isn't defined, the entire secret is retrieved in json formatenv_var
specifies the name of the environment variable that will contain the secret.env_var
is not specified, the name of the environment variable will be generated<UPPERCASE_SECRET_NAME>[_<UPPERCASE_FIELD_NAME>]_SECRET
. Noteenv_var
, you should use one of the patterns that willpath_depth
specifies the number of elements of the path to use in the variable name whenenv_var
isn't defined. When not defined the default value is 2
Please refer to the test pipeline and scripts in ths .buildkite
directory as examples.