Teamcity Plugin

When performing integration tests and deployments, build scripts need credentials to access external servers and services. The TeamCity plugin allows connecting TeamCity to the Akeyless Vault Platform, requesting new credentials when a build starts, passing them to the build script, and revoking them immediately when it finishes.

πŸ‘

Tip

Akeyless developed API compatibility with Hashicorp Vault OSS, enabling the use of Vault OSS community plugins for both Static & Dynamic Secrets.

Prerequisites

  1. A TeamCity server with an authorized BuildAgent.

  2. An Authentication Methods configured in the Akeyless Vault Platform with access to secrets that will be used by the build agent.

πŸ“˜

Info

Currently, TeamCity plugin supports three authentication methods:

Ensure that your Authentication Methods is associated with an access role that has sufficient permissions to access the required secrets.

Configure The TeamCity Plugin

  1. Log in to TeamCity and go to Administration > Plugins.
15801580
  1. Click Browse plugins repository to find and download the HashiCorp Vault plugin.
12661266
  1. Then click Upload plugin ZIP to install the Hashicorp Vault plugin.
13301330
  1. Go to Administration > Projects and create a new project.
15081508
  1. Open the created project and go to the Connections section.
14171417
  1. Click Add Connection to connect your project to the Vault plugin.
12391239
  1. Provide connection parameters to the Akeyless Vault Platform in the pop-up window.
15731573

Where:

  • Vault URL: Specify your Gateway URL with the HVP port: https://<Your.Gateway.URL>:8200 or use the public endpoint of Akeyless Vault Proxy https://hvp.akeyless.io.

  • Authentication method: Select the authentication method to use when authenticating with Akeyless Vault Platform.

Available options: AWS IAM, LDAP, or Akeyless API Key (Vault AppRole).

For example, to use API Key set the following:

  • AppRole Role ID: Your API Key Access ID .

  • AppRole Secret ID: Access Key for the provided Access ID.

Static Secrets

Let's create a static secret first. For that, run the following command:

akeyless create-secret --name hvp/test --value '{"password":"1234","username":"abcd"}'

After that, you need to create an environment variable in your TeamCity project that will be used by build scripts to fetch a secret.

  1. Go to the Parameters section to declare a new build parameter which will refer to the Akeyless secret. Currently, these values can be used in the build parameter declaration only and cannot be specified in build steps.
15281528
  1. Click Add new parameter and provide the settings in the pop-up window.
15511551

Where:

  • Name: Specify your parameter name (without any prefixes).

  • Kind: Select the Environment variable (env.) parameter type. This will add an env. prefix to the parameter name, but later in the build script, you should specify the name without a prefix.

  • Value: Provide the full path to your secret in Akeyless using the following format:

Syntax:

%vault:secret/PATH!KEY% where PATH is the secret full name, and KEY is the specific value inside.

In our example: `%vault:secret/hvp/test!/password%

Finally, let's create a simple build script using this environment variable and run it:

15111511

In the Audit Logs screen, you'll see that the script requested and successfully received the hvp/test secret value:

15871587

Dynamic Secrets

  1. Go to the Parameters section to declare new build parameters for username and password which will refer to the corresponding dynamic secret values.
15281528
  1. Click Add new parameter and provide the settings in the pop-up window.
12461246

A variable for the username

12361236

A variable for the password

Where:

  • Name: Specify your parameter name (without any prefixes).

  • Kind: Select the Environment variable (env.) parameter type. This will add an env. prefix to the parameter name, but later in the build script, you should specify the name without a prefix.

  • Value: Provide the full path to your secret in Akeyless using the following format:

Syntax:

%vault:PATH!KEY% where PATH is a path to the secret, and KEY is a specific value in this secret item.

%vault:/dynamic-secret-type/creds/path/to/secretname!%

In our example: %vault:/mysql/creds/hvp/mysqlusername!% and %vault:/mysql/creds/hvp/mysqlpassword!%.

Finally, create a simple build script using this environment variable, and run it:

13961396