Expeditor provides a common DSL which can be used to access secrets from Vault and inject them into runtimes as environment variables.
At this time, we only support the Secrets DSL in Buildkite pipeline definition files for private pipelines.
Accessing a Secret Record
There are two ways to access a secret record via the DSL:
path. Those two settings will fetch the associated record. The
field value is used to fetch a specific value in that secret record.
Accounts are common secret records that are supported by Expeditor itself. These secrets records are typically commonly used accounts that are maintained by Release Engineering, Operations, and Corporate IT. We maintain these custom secret records because it allows us to make a number of related secret values available through a single interface, without requiring users from knowing the specifics of the underlying Vault schema.
There are four types of supported
Accounts are specified using the form
<type> is one of the values above, and
<name> is the name of the account.
Each account type has a default
Available Account Fields
If you’re trying to access some other secret record in Vault that is not one of the supported accounts, you can specify a
path value. This value is fed into a
vault read request.
secrets: CUSTOM_SECRET: path: secret/myapp/custom_secret field: foobar
field values are valid is based entirely on the contents of the secret record in Vault.
There are some situations, like specifying
studio_secrets in the Habitat pipeline definition file, where you simply want to pass in a plain text value into the DSL. To do this, you can simply provide a
secrets: PLAINTEXT_SECRET: value: foo