CircleCI Plugin

To fetch secrets (certs, secrets, keys, etc.) into CircleCI, you can use Akeyless Platform as secret storage where secrets can be fetched into your CircleCi pipelines.

Prerequisites

An existing repo that is followed by CircleCI (in our example, it’s named TestRepo):

1600

Configuration

  1. Setup global configuration in your CircleCI project
    a. Go into Project Settings:
1596

b. Go into Environment Variables to setup global configuration:
In our example, you would need to configure the following environment variables:

  • access_id
  • access_key

Similarly, you can set your admin_email and admin_password as environment variables:

2804
  1. Create/update your config.yml file for CircleCI (should be in .circleci/config.yml).
version: 2.1
jobs:
  build:
    docker:
      - image: akeyless/ci_base
    steps:
      - checkout # check out the code in the project directory
      - run:
          name: "Authenticate to Akeyless"
          command: akeyless auth --admin-email $admin_email --admin-password $admin_password
      - run:
          name: "Fetch Akeyless secrets"
          command: akeyless get-secret-value -n /MySecret1

In this example, we used email and password authentication to fetch the secret: /MySecret1.

📘

Note:

You can choose any Authentication Method. Please make sure this Authentication Method have access to your secret.

Using OpenID Connect ID tokens

In jobs using a context, CircleCI provides an OpenID Connect ID (OIDC) token in an environment variable. A job can use this to access compatible cloud services without a long-lived credential stored in CircleCI.

In CircleCI jobs that use at least one context, the OpenID Connect ID token is available in the environment variable $CIRCLE_OIDC_TOKEN.

The OpenID Provider is unique to your organization. The URL is https://oidc.circleci.com/org/ORGANIZATION_ID, where ORGANIZATION_ID is the organization ID (a universally unique identifier) that represents your organization. You can find your CircleCI organization ID by navigating to Organization Settings > Overview on the CircleCI web app.

The OpenID Connect ID tokens issued by CircleCI have a fixed audience which is also the organization ID. A full list of available claims can be found here. Those can be later used for the Access Roles setup.

In Akeyless Platform, create a new Authentication Method type of OAuth2.0/JWT with the following settings:

akeyless create-auth-method-oauth2 --name CircleCI --jwks-uri https://oidc.circleci.com/org/<ORGANIZATIONID>/.well-known/jwks-pub.json --unique-identifier <ORGANIZATIONID>

Make sure to replace <ORGANIZATIONID> with your CircleCI Organization ID, and associate the new Auth method you created with an Access Roles.

👍

Tip

More information can be extracted directly from: https://oidc.circleci.com/org/<ORGANIZATIONID>/.well-known/openid-configuration as described in CircleCI docs.

Create a context in your CircleCI in the following example the context name is akeyless and add this context to a job by adding the context key to the workflows section of your circleci/config.yml file:

workflows:
  my-workflow:
    jobs:
      - run-tests:
          context:
            - akeyless

On the CircleCI project setup, create an environment variable that will hold only the AccessID of the created Auth method in our example. We used accessid:

# Use the latest 2.1 version of CircleCI pipeline process engine.
# See: https://circleci.com/docs/2.0/configuration-reference
version: 2.1

# Define a job to be invoked later in a workflow.
# See: https://circleci.com/docs/2.0/configuration-reference/#jobs
jobs:
  say-hello:
    docker:
      - image: 'akeyless/ci_base'
    # Add steps to the job
    # See: https://circleci.com/docs/2.0/configuration-reference/#steps
    steps:
      - checkout
      - run:
          name: "Authenticate To Akeyless"
          command: akeyless auth --access-id $accessid --access-type jwt --jwt $CIRCLE_OIDC_TOKEN
      - run:
          name: "Fetch Akeyless secrets"
          command: akeyless get-secret-value -n /MySecret1
# Invoke jobs via workflows
# See: https://circleci.com/docs/2.0/configuration-reference/#workflows
workflows:
  say-hello-workflow:
    jobs:
      - say-hello:
          context:
            - akeyless
2300

Working with Gateway

To work with a Zero Knowledge encryption based on your fragment:

Go into Environment Variables to set up global configuration and configure the following environment variable: AKEYLESS_GATEWAY_URL
If you have your Akeyless Gateway setup - set the URL for the Restful API port 8080, otherwise you can use Akeyless Public Gateway with the following URL: https://rest.akeyless.io

👍

Tip

Akeyless Gateway should be reachable within your network. Working with your Gateway can be used when running CircleCI with self-hosted runners