Skip to content
Buildkite plugin for secrets distribution using `summon`
Branch: master
Clone or download
Latest commit 212589e Feb 17, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
buildkite/inspect Add a ShellCheck step to pipeline. Feb 18, 2019
hooks Fix bug caught by test. Feb 18, 2019
LICENSE Add the obvious Buildkite link to README. Feb 18, 2019
docker-compose.yml Add the Buildkite Plugin Linter to pipeline. Feb 18, 2019
plugin.yml Support `yaml` and `substitutions` parameters. Feb 17, 2019

Summon Buildkite Plugin

summon is a tool for fetching secrets from secure storage; this plugin makes it easy to use in Buildkite jobs.

Some reasons you might care:

  • Maybe you're still hardcoding secrets in your Buildkite pipeline settings? If so, that is bad and you should stop. This plugin helps you stop.
  • You can immediately leverage any of the existing summon secrets providers, so you have flexibility in what secure storage you use.
  • By installing different default providers on different machines, you can fetch secrets appropriately in different locations without changing configuration, e.g., pulling from a local keyring in development but from AWS SM in CI.


Here's a simple pipeline configuration:

  - plugins:
      - angaza/summon#v0.1.0:
          secrets-file: path/to/secrets.yml

The secrets fetched by summon are exported as environment variables to the rest of the step, including subsequent plugins. To use with the Docker Compose plugin, for example:

  - plugins:
      - angaza/summon#v0.1.0:
          secrets-file: path/to/secrets.yml
      - docker-compose#v2.6.0:
          config: path/to/docker-compose.yml
          run: service-name

Most summon options are supported:

  - plugins:
      - angaza/summon#v0.1.0:
          secrets-file: path/to/secrets.yml
          provider: summon-s3
          environment: production
            - REGION=us-east-1

The plugin runs during the post-checkout hook, the earliest point at which the repo is available, since you will typically (but are not required to) reference a checked-in secrets.yml file.


summon must already be installed in the environment where your agent runs, along with whatever provider(s) will be used.


You can run the tests for this plugin with:

docker-compose run --rm tests



You can’t perform that action at this time.