Secret documentation on drone/drone:1.0.0, drone/agent:1.0.0 and drone/vault:latest

#1

Hi @bradrydzewski,

I am really thankful for all your really hard work in developing the drone stuff.

But I am pretty new and trying to switch from local Gitlab to GitTea + Drone + Vault to build my images. I’m really misusing Vault as I’m just using it as a store for for shared ‘variables’ nearly used on every repo.

Anyway, my main problem is I’m seeing way too many different ways to specify access to secrets and no matter which kind I try, i currently get either nothing or an error.

On the Vault announcement page https://blog.drone.io/drone-vault-secrets/ it is stated as

secrets:
  docker_username:
    external:
      name: secret/data/docker#username

and on the official page (https://docs.drone.io/extend/secrets/vault/config-in-drone/) it is stated as

---
kind: secret
name: username
get:
  path: secret/data/docker
  name: username

---
kind: secret
name: password
get:
  path: secret/data/docker
  name: password

I’m currently pretty frustrated as the last part that is not working in the whole setup is my access to the ‘shared variables’ via Vault within .drone.yml.

Just tried a very basic file

kind: pipeline
name: default

steps:
- name: build
  image: bash
  environment:
    MY_SSH_KEY:
      from_secret: ssh_key
  commands:
    - echo "${MY_SSH_KEY}"

---
kind: secret

external_data:
  ssh_key:
    path: kv/kiwi
    name: SSH_KEY

This .drone.yml just returns “echo ‘’”

I’m able to retrieve the secret with the drone plugins call

rp@debian1-vm:~/git/drone-vault-test$ drone plugins secret get kv/kiwi SSH_KEY --repo pasche/drone-vault-test
ssh-key....
rp@debian1-vm:~/git/drone-vault-test$

Soe the above .drone.yml should return “echo ‘ssh-key…’”.

Currently, I’m no GO programmer…I already looked into the code and I currently don’t get into it, so pointing me to the source code will not help me very much ;-/

Maybe I’m missing the right page for the current documentation and hope, you can point me in the right direction.

Again…thank you for your hard work.

Robert

0 Likes

#2

the canonical documentation for secrets is at docs.drone.io. Blogs posts, discourse posts, etc are point-in-time and could be outdated. This is (at the time of responding) the proper syntax for vault secrets:

---
kind: secret
name: username
get:
  path: secret/data/docker
  name: username

---
kind: secret
name: password
get:
  path: secret/data/docker
  name: password

one thing that jumps out is that ${variable} is subject to interpolation and needs to be escaped, similar to docker-compose, like this:

-commands: - echo "${MY_SSH_KEY}"
+commands: - echo "$${MY_SSH_KEY}"
0 Likes

#3

[quote=“rpasche, post:1, topic:4206”]>
Anyway, my main problem is I’m seeing way too many different ways to
specify access to secrets>
[/quote]>

the canonical documentation for secrets is at docs.drone.io. Blogs
posts, discourse posts, etc are point-in-time and could be outdated.
This is (at the time of responding) the proper syntax for vault
secrets:>

--->
kind: secret>
name: username>
get:>
 path: secret/data/docker>
 name: username>
>
--->
kind: secret>
name: password>
get:>
 path: secret/data/docker>
 name: password>
```>
>
[quote="rpasche, post:1, topic:4206"]>
commands: - echo "${MY_SSH_KEY}">
[/quote]>
>
one thing that jumps out is that ${variable} is subject to
interpolation and needs to be escaped, similar to docker-compose, like
this:>
>
```diff>
-commands: - echo "${MY_SSH_KEY}">
+commands: - echo "$${MY_SSH_KEY}">
```>
>

Ahh… That could be it. I’ll try this again this evening.

Thanks

0 Likes

#4

@bradrydzewski Thanks. Now got all working. :slight_smile:

0 Likes