Delinea DevOps Secrets Vault (DSV) CI plugin allows you to access and reference your Secrets data available for use in GitLab Jobs.
- Developer: instructions on running tests, local tooling, and other resources.
- DSV Documentation
Review the file: .gitlab-ci.yml
To test this out, you'll have to create variables in GitLab under: https://gitlab.com/{org}/{project}/-/settings/ci_cd.
This plugin uses authentication based on Client Credentials, i.e. via Client ID and Client Secret.
dsvprofile=
rolename="gitlab-dsv-gitlab-tests"
secretpath="ci:tests:dsv-gitlab"
secretpathclient="clients:${secretpath}"
desc="a secret for testing operation of secrets against dsv-gitlab"
clientcredfile=".cache/${rolename}.json"
clientcredname="${rolename}"
dsv role create --name "${rolename}" --profile $dsvprofile
# Option 1: Less Optimal - Save Credential to local json for testing
# dsv client create --role "${rolename}" --out "file:${clientcredfile}"
# Option 2: 🔒 MOST SECURE
# Create credential info for dsv, and set as variable.
# Create an org secret instead if you want to share this credential in many repos.
# compress to a single line
clientcred=$(dsv client create --role "${rolename}" --plain | jq -c)
# configure the credentials in gitlab
echo 'DSV_SERVER in GitLab variables, example: mytenant.secretsvaultcloud.com'
echo "Save DSV_CLIENT_ID in GitLab variables: $(echo "${clientcred}" | jq '.clientId' -r)"
echo "Save DSV_CLIENT_SECRET in GitLab variables: $(echo "${clientcred}" | jq '.clientSecret' -r )"For further setup, here's how you could extend that script block above with also creating a secret and the policy to read just this secret.
# Create a secret
secretkey="secret-01"
secretvalue='{"value1":"taco","value2":"burrito"}'
dsv secret create \
--path "secrets:${secretpath}:${secretkey}" \
--data "${secretvalue}" \
--desc "${desc}"
# Create a policy to allow role "$rolename" to read secrets under "ci:tests:integration-configs/dsv-gitlab":
dsv policy create \
--path "secrets:${secretpath}" \
--actions 'read' \
--effect 'allow' \
--subjects "roles:$rolename" \
--desc "${desc}" \
--resources "secrets:${secretpath}:<.*>"See integration.yml for an example of how to use this to retrieve secrets and use outputs on other tasks.
The json expects an array, so just add a new line.
retrieve: |
[
{"secretPath": "ci:tests:dsv-github-action:secret-01", "secretKey": "value1", "outputVariable": "RETURN_VALUE_1"},
{"secretPath": "ci:tests:dsv-github-action:secret-01", "secretKey": "value2", "outputVariable": "RETURN_VALUE_2"}
]Note: Make sure your generated client credentials are associated a policy that has rights to read the different secrets.
retrieve: |
[
{"secretPath": "ci:tests:dsv-github-action:secret-01", "secretKey": "value1", "outputVariable": "RETURN_VALUE_1"},
{"secretPath": "ci:tests:dsv-github-action:secret-02", "secretKey": "value1", "outputVariable": "RETURN_VALUE_2"}
]Thanks goes to these wonderful people (emoji key):
 Mariia 💻 |
 sheldonhull 💻 |
 andrii-zakurenyi 💻 |
 gg-delinea 📓 |
This project follows the all-contributors specification. Contributions of any kind welcome!