Teamcity Plugin
When performing integration tests and deployments, build scripts need credentials to access external servers and services. The TeamCity plugin allows connecting TeamCity to the Akeyless Platform, requesting new credentials when a build starts, passing them to the build script, and revoking them immediately when it finishes.
Note
Akeyless developed API compatibility with Hashicorp Vault OSS, enabling the use of Vault OSS community plugins for both Static & Dynamic Secrets, you can find more information here
Prerequisites
-
A TeamCity server with an authorized BuildAgent.
-
An Authentication Methods configured in the Akeyless Platform with access to secrets that will be used by the build agent.
Info
Currently, TeamCity plugin supports three authentication methods:
Ensure that your Authentication Methods is associated with an access role that has sufficient permissions to access the required secrets.
Configure The TeamCity Plugin
- Log in to TeamCity and go to Administration > Plugins.
![TC-Plugin-01.png 1580](https://files.readme.io/b6836f5-TC-Plugin-01.png)
- Click Browse plugins repository to find and download the
HashiCorp Vault
plugin.
![TC-Plugin-02.png 1266](https://files.readme.io/9748a1d-TC-Plugin-02.png)
- Then click Upload plugin ZIP to install the
Hashicorp Vault
plugin.
![TC-Plugin-03.png 1330](https://files.readme.io/3525c64-TC-Plugin-03.png)
- Go to Administration > Projects and create a new project.
![TC-Plugin-04.png 1508](https://files.readme.io/55d4b83-TC-Plugin-04.png)
- Open the created project and go to the Connections section.
![TC-Plugin-05.png 1417](https://files.readme.io/a0acacb-TC-Plugin-05.png)
- Click Add Connection to connect your project to the
Vault
plugin.
![TC-Plugin-06.png 1239](https://files.readme.io/6c9b5cd-TC-Plugin-06.png)
- Provide connection parameters to the Akeyless Platform in the pop-up window.
![TC-Plugin-07.png 1573](https://files.readme.io/d23f619-TC-Plugin-07.png)
Where:
-
Vault URL: Specify your Gateway URL with the HVP port:
https://<Your-Gateway-URL>:8200
or use the public endpoint of Akeyless HVP:https://hvp.akeyless.io
. -
Authentication method: Select the authentication method to use when authenticating with Akeyless.
Available options: AWS IAM, LDAP, or Akeyless API Key (Vault AppRole).
For example, to use API Key set the following:
-
AppRole Role ID: Your API Key
Access ID
. -
AppRole Secret ID:
Access Key
of the providedAccess ID
.
Static Secrets
Let's create a static secret first. For that, run the following command:
akeyless create-secret --name hvp/test --value '{"password":"1234","username":"abcd"}'
After that, you need to create an environment variable in your TeamCity project that will be used by build scripts to fetch a secret.
- Go to the Parameters section to declare a new build parameter which will refer to the Akeyless secret. Currently, these values can be used in the build parameter declaration only and cannot be specified in build steps.
![TC-parameters.png 1528](https://files.readme.io/19f7283-TC-parameters.png)
- Click Add new parameter and provide the settings in the pop-up window.
![TC-New-Parameter.png 1551](https://files.readme.io/ea40d72-TC-New-Parameter.png)
Where:
-
Name: Specify your parameter name (without any prefixes).
-
Kind: Select the Environment variable (env.) parameter type. This will add an env. prefix to the parameter name, but later in the build script, you should specify the name without a prefix.
-
Value: Provide the full path to your secret in Akeyless using the following format:
Syntax:
%vault:secret/PATH!KEY%
where PATH is the secret full name, and KEY is the specific value inside.
In our example: %vault:secret/hvp/test!/password%
Finally, let's create a simple build script using this environment variable and run it:
![TC-GenSettings.png 1511](https://files.readme.io/359e8ae-TC-GenSettings.png)
In the Audit Logs screen, you'll see that the script requested and successfully received the hvp/test
secret value:
![TC-Results.png 1587](https://files.readme.io/eb25fc4-TC-Results.png)
Dynamic Secrets
- Go to the Parameters section to declare new build parameters for username and password which will refer to the corresponding dynamic secret values.
![TC-parameters.png 1528](https://files.readme.io/c51a015-TC-parameters.png)
- Click Add new parameter and provide the settings in the pop-up window.
Where:
-
Name: Specify your parameter name (without any prefixes).
-
Kind: Select the Environment variable (env.) parameter type. This will add an env. prefix to the parameter name, but later in the build script, you should specify the name without a prefix.
-
Value: Provide the full path to your secret in Akeyless using the following format:
Syntax:
%vault:/<dynamic-secret-type>/creds/<path/to/secretname>!/<JSON Entry>%
In our example: %vault:/mysql/creds/hvp/mysql!/username%
and %vault:/mysql/creds/hvp/mysql!/password%
where the dynamic secret name is /mysql
.
Another example:
%vault:azure/creds/<path/to/secretname>!/user.password%
%vault:azure/creds/<path/to/secretname>!/user.userPrincipalName%
Finally, create a simple build script using this environment variable, and run it:
![TC-Dynamic3.png 1396](https://files.readme.io/fb23889-TC-Dynamic3.png)
Updated 5 months ago