Secrets DSL

Expeditor provides a common DSL which can be used to access secrets from Vault and inject them into runtimes as environment variables.

At this time, we only support the Secrets DSL in Buildkite pipeline definition files for private pipelines.

Accessing a Secret Record

There are two ways to access a secret record via the DSL: account or path. Those two settings will fetch the associated record. The field value is used to fetch a specific value in that secret record.


Accounts are common secret records that are supported by Expeditor itself. These secrets records are typically commonly used accounts that are maintained by Release Engineering, Operations, and Corporate IT. We maintain these custom secret records because it allows us to make a number of related secret values available through a single interface, without requiring users from knowing the specifics of the underlying Vault schema.

There are four types of supported accounts:

  • aws
  • azure
  • github
  • google

Accounts are specified using the form <type>/<name> where <type> is one of the values above, and <name> is the name of the account.

Each account type has a default <name>:

  • aws/chef-cd
  • azure/inspec
  • github/chef-ci
  • google/buildkite-ci

Available Account Fields

  • access_key_id
  • secret_access_key
  • session_token
  • region
  • client_id
  • client_secret
  • subscription_id
  • tenant_id
  • token
  • token
  • json


If you’re trying to access some other secret record in Vault that is not one of the supported accounts, you can specify a path value. This value is fed into a vault read request.

    path: secret/myapp/custom_secret
    field: foobar

What field values are valid is based entirely on the contents of the secret record in Vault.


There are some situations, like specifying studio_secrets in the Habitat pipeline definition file, where you simply want to pass in a plain text value into the DSL. To do this, you can simply provide a value.

    value: foo