Create docker image to Retrieve secret from GCP Secret Manager.
Release notes
Problem to solve
Intended users
User experience goal
Proposal
Use include to use the GCP CLI docker image from #207828.
There should be a job that extracts the secret into a .env file to be used in the pipeline.
Secrets needed:
-
GOOGLE_PROJECT_ID: -
GOOGLE_COMPUTE_ZONE:
Further details
Get Secret Version Orb
version: '2.1'
orbs:
gcp-cli: circleci/gcp-cli@x.y.z
gcp-sm: pathmotion/gcp-secret-manager@x.y.z
jobs:
access-gcp-secret-version:
environment:
GOOGLE_COMPUTE_ZONE: my-gcp-zone
GOOGLE_PROJECT_ID: my-gcp-project-id
executor: gcp-sm/default
steps:
- gcp-cli/initialize
- gcp-sm/access-secret-version:
secret-name: MY_API_TOKEN
- persist_to_workspace:
paths:
- .secrets/secrets.env
root: .
workflows: nullAccess Secret Version Orb
description: Retrieves a secret from GCP Secret Manager.
parameters:
create-secrets-directory:
default: true
type: boolean
secret-file:
default: secrets.env
type: string
secret-names:
type: string
secret-version:
default: latest
type: string
secrets-directory:
default: .secrets
type: string
steps:
- when:
condition: << parameters.create-secrets-directory >>
steps:
run:
command: mkdir -p << parameters.secrets-directory >>
name: Create secrets directory
- run:
command: |
IFS="," read -ra SECRETNAMES \<<< << parameters.secret-names >>
for secret in "${SECRETNAMES[@]}"
do
echo "export ${secret}='$(gcloud secrets versions access << parameters.secret-version >> \
--secret=${secret})'" >> << parameters.secrets-directory >>/<< parameters.secret-file >>
done
name: Access a secret versionPermissions and Security
Documentation
Availability & Testing
What does success look like, and how can we measure that?
What is the type of buyer?
Is this a cross-stage feature?
Links / references
Activity
added typefeature label
@jreporter This may be more suitable for ~"group::verify" and Category:Secrets Management
That would make it ~"group::configure" then @ogolowinski if you feel this fits in Category:Secrets Management?
@nagyv-gitlab WDYT? Thanks
Thanks @jreporter , I agree.
added to epic &2706
added sectionops label
mentioned in issue gitlab-org/quality/triage-reports#1334 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1425 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1502 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1563 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1685 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1759 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1858 (closed)
mentioned in issue gitlab-org/quality/triage-reports#1977 (closed)
mentioned in issue gitlab-org/quality/triage-reports#2053 (closed)
mentioned in issue gitlab-org/quality/triage-reports#2133 (closed)
mentioned in issue gitlab-org/quality/triage-reports#2236 (closed)
mentioned in issue gitlab-org/quality/triage-reports#2327 (closed)
mentioned in issue gitlab-org/quality/triage-reports#2400 (closed)
mentioned in issue gitlab-org/quality/triage-reports#2466 (closed)
mentioned in issue gitlab-org/quality/triage-reports#2547 (closed)
marked this issue as related to #207828
changed milestone to %Backlog
added [deprecated] Accepting merge requests label
added grouppipeline authoring label and removed groupconfigure [DEPRECATED] label
added devopsverify label and removed devopsconfigure [DEPRECATED] label
added grouppipeline security label and removed grouppipeline authoring label
mentioned in issue gitlab-org/quality/triage-reports#18921 (closed)
removed sectionops label
removed devopsverify label
added devopsgovern sectionsec labels
