To fetch secrets (certs, secrets, keys, etc.) into CircleCI, you can use Akeyless Platform as secret storage where secrets can be fetched into your CircleCi pipelines.
An existing repo that is followed by CircleCI (in our example, it’s named TestRepo):
- Setup global configuration in your CircleCI project
a. Go into Project Settings:
b. Go into Environment Variables to setup global configuration:
In our example, you would need to configure the following environment variables:
Similarly, you can set your admin_email and admin_password as environment variables:
- Create/update your config.yml file for CircleCI (should be in .circleci/config.yml).
version: 2.1 jobs: build: docker: - image: akeyless/ci_base steps: - checkout # check out the code in the project directory - run: name: "Authenticate to Akeyless" command: akeyless auth --admin-email $admin_email --admin-password $admin_password - run: name: "Fetch Akeyless secrets" command: akeyless get-secret-value -n /MySecret1
In this example, we used email and password authentication to fetch the secret:
You can choose any Authentication Method. Please make sure this Authentication Method have access to your secret.
In jobs using a context, CircleCI provides an OpenID Connect ID (OIDC) token in an environment variable. A job can use this to access compatible cloud services without a long-lived credential stored in CircleCI.
In CircleCI jobs that use at least one context, the OpenID Connect ID token is available in the environment variable
The OpenID Provider is unique to your organization. The URL is
ORGANIZATION_ID is the organization ID (a universally unique identifier) that represents your organization. You can find your CircleCI organization ID by navigating to Organization Settings > Overview on the CircleCI web app.
The OpenID Connect ID tokens issued by CircleCI have a fixed audience which is also the organization ID. A full list of available claims can be found here. Those can be later used for the Access Roles setup.
akeyless create-auth-method-oauth2 --name CircleCI --jwks-uri https://oidc.circleci.com/org/<ORGANIZATIONID>/.well-known/jwks-pub.json --unique-identifier <ORGANIZATIONID>
Make sure to replace
<ORGANIZATIONID> with your CircleCI Organization ID, and associate the new Auth method you created with an Access Roles.
More information can be extracted directly from:
https://oidc.circleci.com/org/<ORGANIZATIONID>/.well-known/openid-configurationas described in CircleCI docs.
Create a context in your CircleCI in the following example the context name is
akeyless and add this context to a job by adding the context key to the workflows section of your
workflows: my-workflow: jobs: - run-tests: context: - akeyless
On the CircleCI project setup, create an environment variable that will hold only the AccessID of the created Auth method in our example. We used
# Use the latest 2.1 version of CircleCI pipeline process engine. # See: https://circleci.com/docs/2.0/configuration-reference version: 2.1 # Define a job to be invoked later in a workflow. # See: https://circleci.com/docs/2.0/configuration-reference/#jobs jobs: say-hello: docker: - image: 'akeyless/ci_base' # Add steps to the job # See: https://circleci.com/docs/2.0/configuration-reference/#steps steps: - checkout - run: name: "Authenticate To Akeyless" command: akeyless auth --access-id $accessid --access-type jwt --jwt $CIRCLE_OIDC_TOKEN - run: name: "Fetch Akeyless secrets" command: akeyless get-secret-value -n /MySecret1 # Invoke jobs via workflows # See: https://circleci.com/docs/2.0/configuration-reference/#workflows workflows: say-hello-workflow: jobs: - say-hello: context: - akeyless
To work with a Zero Knowledge encryption based on your fragment:
Go into Environment Variables to set up global configuration and configure the following environment variable:
If you have your Akeyless Gateway setup - set the URL for the Restful API port
8080, otherwise you can use Akeyless Public Gateway with the following URL:
Akeyless Gateway should be reachable within your network. Working with your Gateway can be used when running CircleCI with self-hosted runners
Updated 4 months ago