Skip to content
This repository was archived by the owner on Feb 16, 2023. It is now read-only.

secrethub/secrethub-circleci-orb

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

138 Commits
.circleci
.circleci
 
 
.github/workflows
.github/workflows
 
 
src
src
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

1Password SecretHub has joined 1Password! Find out more on the SecretHub blog. 🎉

CircleCI + SecretHub


Learn More View Docs


CircleCI Orb Partner badge

CircleCI Version Discord

No more copy-pasting sensitive values into a GUI. Securely load secrets into CircleCI and sync them automatically.

This Orb is officially supported and actively maintained by SecretHub, but community contributions are very welcome.

Usage

To execute a command that needs secrets, replace your CircleCI run command with secrethub/exec. You can make secrets available to your command as environment variables by referencing their SecretHub path, prefixed by secrethub://:

version: 2.1
orbs:
  secrethub: secrethub/[email protected]

jobs:
  deploy:
    docker:
      - image: cimg/base:stable
    environment:
      AWS_ACCESS_KEY_ID: secrethub://company/app/aws/access_key_id
      AWS_SECRET_ACCESS_KEY: secrethub://company/app/aws/secret_access_key
    steps:
      - checkout
      - secrethub/exec:
          command: |
            echo "This value will be masked: $AWS_ACCESS_KEY_ID"
            echo "This value will be masked: $AWS_SECRET_ACCESS_KEY"
            ./deploy-my-app.sh
workflows:
  deploy:
    jobs:
      - deploy

Alternatively, you can set the shell of the native CircleCI run command:

version: 2.1
orbs:
  secrethub: secrethub/[email protected]

jobs:
  deploy:
    docker:
      - image: cimg/base:stable
    steps:
      - secrethub/install
      - checkout
      - run:
          shell: secrethub run -- /bin/bash
          environment:
            AWS_ACCESS_KEY_ID: secrethub://company/app/aws/access_key_id
            AWS_SECRET_ACCESS_KEY: secrethub://company/app/aws/secret_access_key
          command: |
            echo "This value will be masked: $AWS_ACCESS_KEY_ID"
            echo "This value will be masked: $AWS_SECRET_ACCESS_KEY"
            ./deploy-my-app.sh
workflows:
  deploy:
    jobs:
      - deploy

You can either set the shell on the run command level, or you can set it on the job level to use it for every step in the job. That way you can also load secrets into other orbs:

version: 2.1
orbs:
  aws-cli: circleci/[email protected]
  secrethub: secrethub/[email protected]

jobs:
  deploy:
    executor: aws-cli/default
    shell: secrethub run -- /bin/bash
    environment:
      AWS_DEFAULT_REGION: us-east-1
      AWS_ACCESS_KEY_ID: secrethub://company/app/aws/access_key_id
      AWS_SECRET_ACCESS_KEY: secrethub://company/app/aws/secret_access_key
    steps:
      - secrethub/install
      - checkout
      - aws-cli/setup

workflows:
  deploy:
    jobs:
      - deploy

See the src/examples directory for more examples.

Masking

When using either the secrethub/exec orb command or the secrethub run shell wrapper, all secrets are automatically masked from the CI log output. If secrets (accidentally) get logged, they will be replaced with:

<redacted by SecretHub>

Authentication

For your CircleCI jobs to authenticate to SecretHub and decrypt the secrets they need, create a SecretHub service account, give it read access to the secrets it needs, and configure the credential as SECRETHUB_CREDENTIAL in your CircleCI project settings or Context environment variables.

About

Load secrets into CircleCI jobs

secrethub.io

Topics

security devops secret-management secrets secrets-management circleci-orbs

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

10 stars

Watchers

7 watching

Forks

7 forks
Report repository

Releases 3

v1.1.0 Latest
Nov 3, 2020
+ 2 releases

Packages

No packages published

Contributors 7