smooth-secrets-buildkite-plugin

A buildkite plugin to setup ssh keys and env secrets for your pipelines 🧈 🔒

Usage

Exporting secrets to environment

steps:
  - command: echo "\$SECRET_NAME" > secret.txt
    plugins:
      - hasura/smooth-secrets#v1.3.0:
          secrets:
            - strategy: aws-secrets-manager
              region: us-east-2
              key: secret/env
              name: SECRET_NAME
              type: env

Creating a file with the secret contents

steps:
  - command: cd "$(dirname "${FILE_PATH_ENV}")" && cat "${FILE_NAME_ENV}"
    plugins:
      - hasura/smooth-secrets#v1.3.0:
          secrets:
            - strategy: aws-secrets-manager
              region: us-east-2
              key: secret/id
              type: file
              file_path_env: FILE_PATH_ENV
              file_name_env: FILE_NAME_ENV

The path at which the file is created will be exported to the environment with the name given in file_path_env field. Likewise, the file name will be exported with the name given in file_name_env. For example, here, FILE_PATH_ENV var will be set to the file path and FILE_NAME_ENV will be set to the filename.

Adding an SSH key to ssh-agent

steps:
  - command: ssh-add -l
    plugins:
      - hasura/smooth-secrets#v1.3.0:
          secrets:
            - strategy: aws-secrets-manager
              region: us-east-2
              key: secret/id
              type: ssh

• smooth-secret expects the private SSH key to be stored as base64 value in the secrets manager. Use cat <KEY_FILE_PATH> | base64 -w 0 to get the base64 value.
• The private SSH key is stored in this directory: /etc/buildkite-agent/buildkite-secrets/${BUILDKITE_BUILD_ID}/${BUILDKITE_JOB_ID}. The filename is the key field value with any / replaced with -.
• The keys are added to a newly created ssh-agent, which is killed at the end of the job in pre-exit hook.
• The secrets directory is also removed in the pre-exit hook.

Exporting base64 decoded secrets to environment

If the secret is stored as base64 encoded value in the secret storage, then smooth-secret can automatically decode and populate such secrets via the encoding field.

steps:
  - command: ssh-add -l
    plugins:
      - hasura/smooth-secrets#v1.3.0:
          secrets:
            - strategy: aws-secrets-manager
              region: us-east-2
              key: secret/env
              name: SECRET_NAME
              type: env
              encoding: base64

Configuration

secrets (array)

• strategy (required, string)

  Supported value: aws-secrets-manager

• key (required, string)

  Secret id to refer to the secret in the secret storage.

• type (required, string)

  Supported value: ssh, env, file
  • ssh will add the secret value as a private ssh key to the ssh-agent.
  • env will export the env for usage in the build.
  • file will create a file with the secret value as contents

• name (string)

  The name with which env type secrets will be exported. Only required when the secret type is env.

• region (required, string)

  Region value for aws

• encoding (optional, string)

  Supported value: base64