summon
is a tool for fetching secrets
from secure storage; this plugin makes it easy to use in
Buildkite jobs.
Some reasons you might care:
- Maybe you're still hardcoding secrets in your Buildkite pipeline settings? If so, that is bad and you should stop. This plugin helps you stop.
- You can immediately leverage any of the existing
summon
secrets providers, so you have flexibility in what secure storage you use. - By installing different default providers on different machines, you can fetch secrets appropriately in different locations without changing configuration, e.g., pulling from a local keyring in development but from AWS SM in CI.
Here's a simple pipeline configuration:
steps:
- plugins:
- angaza/summon#v0.1.0:
secrets-file: path/to/secrets.yml
The secrets fetched by summon
are exported as environment variables to the
rest of the step, including subsequent plugins. To use with the Docker Compose
plugin,
for example:
steps:
- plugins:
- angaza/summon#v0.1.0:
secrets-file: path/to/secrets.yml
- docker-compose#v2.6.0:
config: path/to/docker-compose.yml
run: service-name
Most summon
options are supported:
steps:
- plugins:
- angaza/summon#v0.1.0:
secrets-file: path/to/secrets.yml
provider: summon-s3
environment: production
substitutions:
- REGION=us-east-1
The plugin runs during the post-checkout
hook, the earliest
point at which the repo is available, since you will typically (but are not
required to) reference a checked-in secrets.yml
file.
summon
must already be installed in the environment where your agent runs,
along with whatever provider(s) will be used.
You can run the tests for this plugin with:
docker-compose run --rm tests
MIT (see LICENSE)