Add Vault secrets provider support (23d63ae8) · Commits · to be continuous... / Amazon Web Services

README.md

+54 −0

Original line number	Diff line number	Diff line
		@@ -431,3 +431,57 @@ export AWS_PAGER=""

		aws cloudformation delete-stack --stack-name "$appname"
		```

		## Variants

		The AWS template can be used in conjunction with template variants to cover specific cases.

		### Vault variant

		This variant allows delegating your secrets management to a [Vault](https://www.vaultproject.io/) server.

		#### Configuration

		In order to be able to communicate with the Vault server, the variant requires the additional configuration parameters:

		\| Name \| description \| default value \|
		\| ----------------- \| -------------------------------------- \| ----------------- \|
		\| `VAULT_BASE_URL` \| The Vault server base API url \| _none_ \|
		\| :lock: `VAULT_ROLE_ID` \| The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID \| must be defined \|
		\| :lock: `VAULT_SECRET_ID` \| The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID \| must be defined \|

		#### Usage

		Then you may retrieve any of your secret(s) from Vault using the following syntax:

		```text
		@url@http://vault-secrets-provider/api/secrets/{secret_path}?field={field}
		```

		With:

		\| Name \| description \|
		\| -------------------------------- \| -------------------------------------- \|
		\| `secret_path` (_path parameter_) \| this is your secret location in the Vault server \|
		\| `field` (_query parameter_) \| parameter to access a single basic field from the secret JSON payload \|

		#### Example

		```yaml
		include:
		# main template
		- project: 'to-be-continuous/aws'
		ref: '1.0.2'
		file: '/templates/gitlab-ci-aws.yml'
		# Vault variant
		- project: 'to-be-continuous/aws'
		ref: '1.0.2'
		file: '/templates/gitlab-ci-aws-vault.yml'

		variables:
		# Secrets managed by Vault
		AWS_ACCESS_KEY_ID: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/aws/prod/account?field=access_key_id"
		AWS_SECRET_ACCESS_KEY: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/aws/prod/account?field=secret_access_key"
		VAULT_BASE_URL: "https://vault.acme.host/v1"
		# $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable
		```

kicker.json

+27 −0

Original line number	Diff line number	Diff line
		@@ -104,5 +104,32 @@
		}
		]
		}
		],
		"variants": [
		{
		"id": "vault",
		"name": "Vault",
		"description": "Retrieve secrets from a [Vault](https://www.vaultproject.io/) server",
		"template_path": "templates/gitlab-ci-aws-vault.yml",
		"variables": [
		{
		"name": "VAULT_BASE_URL",
		"description": "The Vault server base API url",
		"mandatory": true
		},
		{
		"name": "VAULT_ROLE_ID",
		"description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID",
		"mandatory": true,
		"secret": true
		},
		{
		"name": "VAULT_SECRET_ID",
		"description": "The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID",
		"mandatory": true,
		"secret": true
		}
		]
		}
		]
		}

templates/gitlab-ci-aws-vault.yml

0 → 100644

+14 −0

Original line number	Diff line number	Diff line
		# =====================================================================================================================
		# === Vault template variant
		# =====================================================================================================================
		variables:
		# variables have to be explicitly declared in the YAML to be exported to the service
		VAULT_ROLE_ID: "$VAULT_ROLE_ID"
		VAULT_SECRET_ID: "$VAULT_SECRET_ID"

		.aws-base:
		services:
		- name: "$CI_REGISTRY/to-be-continuous/tools/tracking:master"
		command: ["--service", "aws", "1.0.2" ]
		- name: "$CI_REGISTRY/to-be-continuous/tools/vault-secrets-provider:master"
		alias: "vault-secrets-provider"