Skip to content
/ elastic-ci-stack-secrets-manager-hooks Public
forked from buildkite/elastic-ci-stack-ssm-secrets-hooks

🕵️‍♀️ Expose secrets to your buildkite build steps via Amazon Secrets Manager

License

MIT license
0 stars 5 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

alianza-dev/elastic-ci-stack-secrets-manager-hooks

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
.buildkite
.buildkite
 
 
hooks
hooks
 
 
lib
lib
 
 
tests
tests
 
 
INSTALL.md
INSTALL.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 
git-credential-sm-secrets
git-credential-sm-secrets
 
 

Repository files navigation

AWS Secrets Manager Buildkite Hooks

A set of agent hooks that expose secrets to build steps via Amazon Secrets Manager.

Different types of secrets are supported and exposed to your builds in appropriate ways:

  • ssh-agent for SSH Private Keys
  • Environment Variables for strings
  • git-credential via git's credential.helper

Usage

When run via the agent environment and pre-exit hook, your builds will check the following Secrets Manager paths:

  • buildkite/{org_slug}/ssh-private-key
  • buildkite/{org_slug}/git-credentials
  • buildkite/{org_slug}/env/{file}
  • buildkite/{org_slug}/pipeline/{pipeline_slug}/ssh-private-key
  • buildkite/{org_slug}/pipeline/{pipeline_slug}/git-credentials
  • buildkite/{org_slug}/pipeline/{pipeline_slug}/env/{file}

{file} can contain one or more key: value pairs in SSM.

For those secrets, the following types will be expected:

  • ssh-private-key is a SecretBinary that contains an ssh key for ssh git checkouts
  • git-credentials is a SecretString that stores git credentials for https git checkouts
  • env/{file} will be a SecretString and key name for each key: value pair will be the environment key that is set. Secrets are loaded in alphabetical order and keys are NOT unique. The plugin does no currently enforce unique keys.

Uploading Secrets

Setting SSH Keys for Git Checkouts

This example uploads an ssh key that would be used globally across your organization.

# generate a deploy key for your project
ssh-keygen -t rsa -b 4096 -f id_rsa_buildkite
pbcopy < id_rsa_buildkite.pub # paste this into your github deploy key

# create a managed secret with the private key
aws secretsmanager create-secret \
  --name "buildkite/my-org/ssh-private-key" \
  --secret-binary file://id_rsa_buildkite

Setting Environment Variables

Here's an example of how you would set an env of MY_FAVORITE_LLAMA, with a value of they are all good llamas for all builds across all pipelines.

aws secretsmanager create-secret \
  --name "buildkite/my-org/env/MY_FAVORITE_LLAMA" \
  --secret-string "they are all good llamas"

Configuring Git Credentials

Here's an example for how you'd configure a global git credential for the entire stack, using a GitHub personal access token:

aws secretsmanager create-secret \
  --name "buildkite/<org-slug>/git-credentials" \
  --secret-string "https://<username>:<access-token>@github.com"

You can also override it a per-pipeline basis:

aws secretsmanager create-secret \
  --name "buildkite/<org-slug>/pipeline/<pipeline-slug>/git-credentials" \
  --secret-string "https://<username>:<access-token>@github.com"

License

MIT (see LICENSE)

About

🕵️‍♀️ Expose secrets to your buildkite build steps via Amazon Secrets Manager

Topics

devops buildkite

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Shell 100.0%