1. secrethub/cli@1.1.0

secrethub/cli@1.1.0

Partner
Sections
Load secrets from SecretHub into your CircleCI jobs. To authenticate, create a SecretHub service account with read access and configure the credential as "SECRETHUB_CREDENTIAL" in your CircleCI project settings or Context environment variables. More info: https://secrethub.io/docs/reference/cli/service/
Created: February 25, 2020Version Published: November 3, 2020Releases: 4
Org Usage:
< 25

Orb Quick Start Guide

Use CircleCI version 2.1 at the top of your .circleci/config.yml file.

1 version: 2.1

Add the orbs stanza below your version, invoking the orb:

1 2 orbs: cli: secrethub/cli@1.1.0

Use cli elements in your existing workflows and jobs.

Opt-in to use of uncertified orbs on your organization’s Security settings page.

Usage Examples

env_export_command

Use the secrethub/env-export command to load a secret and make it available as an environment variable for next steps in the job. This is useful for providing an orb job with secrets as pre-step to the job. Note: Unlike the secrethub/exec command, the secrethub/env-export does NOT mask secrets from the logs.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 orbs: docker: circleci/docker@x.y.z secrethub: secrethub/cli@x.y.z version: 2.1 workflows: publish: jobs: - docker/publish: image: company/app pre-steps: - secrethub/export-env: secret-path: company/app/docker/username var-name: DOCKER_LOGIN - secrethub/env-export: secret-path: company/app/docker/password var-name: DOCKER_PASSWORD

install_specific_version

Install a specific version of the SecretHub CLI.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 jobs: deploy: docker: - image: cimg/base:stable steps: - checkout - secrethub/install: version: 0.35.0 - run: secrethub --version orbs: secrethub: secrethub/cli@x.y.z version: 2.1 workflows: deploy: jobs: - deploy

override_shell_other_orbs

Install the SecretHub CLI and set it as the shell on the job level. This way, you can also inject secrets into other orbs.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 jobs: deploy: environment: AWS_ACCESS_KEY_ID: secrethub://company/app/aws/access_key_id AWS_DEFAULT_REGION: us-east-1 AWS_SECRET_ACCESS_KEY: secrethub://company/app/aws/secret_access_key executor: aws-cli/default shell: secrethub run -- /bin/bash steps: - secrethub/install - checkout - aws-cli/setup orbs: aws-cli: circleci/aws-cli@x.y.z secrethub: secrethub/cli@x.y.z version: 2.1 workflows: deploy: jobs: - deploy

override_shell_run_command

Install the SecretHub CLI and set it as the shell on the run command level. The secrets will be loaded on demand and are available during the execution of the command. Secrets that are (accidentally) logged will be masked.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 jobs: deploy: docker: - image: cimg/base:stable steps: - secrethub/install - checkout - run: command: | echo "This value will be masked: $AWS_ACCESS_KEY_ID" echo "This value will be masked: $AWS_SECRET_ACCESS_KEY" ./deploy-my-app.sh environment: AWS_ACCESS_KEY_ID: secrethub://company/app/aws/access_key_id AWS_SECRET_ACCESS_KEY: secrethub://company/app/aws/secret_access_key shell: secrethub run -- /bin/bash orbs: secrethub: secrethub/cli@x.y.z version: 2.1 workflows: deploy: jobs: - deploy

run_command_with_secrets

Use the secrethub/exec command to automatically install the SecretHub CLI, load secrets on demand and execute a command that needs the secrets. Secrets that are (accidentally) logged will be masked.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 jobs: deploy: docker: - image: cimg/base:stable environment: AWS_ACCESS_KEY_ID: secrethub://company/app/aws/access_key_id AWS_REGION: us-east-1 AWS_SECRET_ACCESS_KEY: secrethub://company/app/aws/secret_access_key steps: - checkout - secrethub/exec: command: | echo "This value will be masked: $AWS_ACCESS_KEY_ID" echo "This value will be masked: $AWS_SECRET_ACCESS_KEY" ./deploy-my-app.sh orbs: secrethub: secrethub/cli@x.y.z version: 2.1 workflows: deploy: jobs: - deploy

use_cli

Install the SecretHub CLI and use it in your command.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 jobs: publish-docker: docker: - image: cimg/base:stable steps: - checkout - setup_remote_docker - secrethub/install - run: > docker login -u $(secrethub read company/app/docker/username) -p $(secrethub read company/app/docker/password) docker build -t company/app:${CIRCLE_SHA1:0:7} . docker push company/app:${CIRCLE_SHA1:0:7} orbs: secrethub: secrethub/cli@x.y.z version: 2.1 workflows: deploy: jobs: - publish-docker

Commands

env-export

Load a secret and make it available as an environment variable for next steps in the job. Note: Unlike the secrethub/exec command, secrethub/env-export does NOT mask secrets from the logs.

Show command Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
secret-path
Path where the secret is stored on SecretHub
Yes
-
string
var-name
Name of the environment variable to populate with the secret
Yes
-
string
version
Version of the SecretHub CLI
No
0.38.0
string

exec

Run a command with secret environment variables loaded from SecretHub

Show command Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
command
Command to execute with secrets
Yes
-
string
flags
Flags to pass to the `secrethub run` command
No
''
string
step-name
Title of the step to show in the CircleCI UI
No
''
string
version
Version of the SecretHub CLI
No
0.38.0
string

install

Install the SecretHub CLI.

Show command Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
path
Path to install SecretHub CLI to
No
/usr/local/bin
string
shell
The shell used to run the install script
No
/bin/sh
string
version
Version of the SecretHub CLI
No
0.36.0
string

Orb Source

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 # This code is licensed from CircleCI to the user under the MIT license. # See here for details: https://circleci.com/developer/orbs/licensing commands: env-export: description: | Load a secret and make it available as an environment variable for next steps in the job. Note: Unlike the secrethub/exec command, secrethub/env-export does NOT mask secrets from the logs. parameters: secret-path: description: Path where the secret is stored on SecretHub type: string var-name: description: Name of the environment variable to populate with the secret type: string version: default: 0.38.0 description: Version of the SecretHub CLI type: string steps: - install: version: << parameters.version >> - run: command: | random_heredoc_identifier=$(cat /dev/urandom | env LC_ALL=C tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1) || true printf 'export << parameters.var-name >>=$(cat \<<' >> $BASH_ENV printf "${random_heredoc_identifier}\n" >> $BASH_ENV secrethub read << parameters.secret-path >> >> $BASH_ENV printf "${random_heredoc_identifier}\n)\n" >> $BASH_ENV environment: SECRETHUB_APP_INFO_NAME: secrethub-circleci-orb SECRETHUB_APP_INFO_VERSION: 1.1.0 name: Load secret << parameters.var-name >> exec: description: Run a command with secret environment variables loaded from SecretHub parameters: command: description: Command to execute with secrets type: string flags: default: "" description: Flags to pass to the `secrethub run` command type: string step-name: default: "" description: Title of the step to show in the CircleCI UI type: string version: default: 0.38.0 description: Version of the SecretHub CLI type: string steps: - install: version: << parameters.version >> - run: command: secrethub run << parameters.flags >> -- $SHELL -c '<< parameters.command >>' environment: SECRETHUB_APP_INFO_NAME: secrethub-circleci-orb SECRETHUB_APP_INFO_VERSION: 1.1.0 SECRETHUB_RUN_NO_PROMPT: true name: << parameters.step-name >> install: description: | Install the SecretHub CLI. parameters: path: default: /usr/local/bin description: Path to install SecretHub CLI to type: string shell: default: /bin/sh description: The shell used to run the install script type: string version: default: 0.36.0 description: Version of the SecretHub CLI type: string steps: - run: command: |4 set -e # Colors NO_COLOR="\033[0m" OK_COLOR="\033[32;01m" ERROR_COLOR="\033[31;01m" WARN_COLOR="\033[33;01m" # Detect Architecture ARCH=amd64 if [ $(getconf LONG_BIT) = 32 ]; then ARCH=386 fi # Detect OS UNAME=$(uname) if [ "$UNAME" = "Darwin" ]; then OS=darwin elif [ "$UNAME" = "Linux" ]; then OS=linux else echo -e "${ERROR_COLOR}Cannot determine OS type. Exiting...${NO_COLOR}" exit; fi # Make sure we have root priviliges. SUDO="" if [ $(id -u) -ne 0 ]; then if ! [ $(command -v sudo) ]; then echo -e "${ERROR_COLOR}Installer requires root privileges. Please run this script as root.${NO_COLOR}" exit; fi SUDO="sudo" fi echo -e "${OK_COLOR}==> Creating directories${NO_COLOR}" $SUDO mkdir -p /usr/local/secrethub/bin if [ "${SECRETHUB_CLI_VERSION:-latest}" != "latest" ]; then VERSION=v${SECRETHUB_CLI_VERSION} else # Retrieve latest version echo -e "${OK_COLOR}==> Retrieving latest version${NO_COLOR}" VERSION=$(curl --silent "https://api.github.com/repos/secrethub/secrethub-cli/releases/latest" | grep tag_name | awk -F\" '{ print $4 }') fi # Exit if version is already installed if command -v secrethub >/dev/null 2>&1 && secrethub --version 2>&1 | cut -d "," -f 1 | grep -q "$(echo $VERSION | cut -c 2-)$"; then echo -e "${OK_COLOR}==> Version ${VERSION} is already installed${NO_COLOR}" exit 0 fi echo -e "${OK_COLOR}==> Downloading version ${VERSION}${NO_COLOR}" ARCHIVE_NAME=secrethub-$VERSION-$OS-$ARCH LINK_TAR=https://github.com/secrethub/secrethub-cli/releases/download/$VERSION/$ARCHIVE_NAME.tar.gz curl -fsSL $LINK_TAR | $SUDO tar -xz -C /usr/local/secrethub; # symlink in the PATH $SUDO ln -sf /usr/local/secrethub/bin/secrethub /usr/local/bin/secrethub environment: SECRETHUB_CLI_VERSION: << parameters.version >> name: Ensure SecretHub CLI is installed shell: << parameters.shell >> description: | Load secrets from SecretHub into your CircleCI jobs. To authenticate, create a SecretHub service account with read access and configure the credential as "SECRETHUB_CREDENTIAL" in your CircleCI project settings or Context environment variables. More info: https://secrethub.io/docs/reference/cli/service/ display: home_url: https://secrethub.io/ source_url: https://github.com/secrethub/secrethub-circleci-orb examples: env_export_command: description: | Use the secrethub/env-export command to load a secret and make it available as an environment variable for next steps in the job. This is useful for providing an orb job with secrets as pre-step to the job. Note: Unlike the secrethub/exec command, the secrethub/env-export does NOT mask secrets from the logs. usage: orbs: docker: circleci/docker@x.y.z secrethub: secrethub/cli@x.y.z version: 2.1 workflows: publish: jobs: - docker/publish: image: company/app pre-steps: - secrethub/export-env: secret-path: company/app/docker/username var-name: DOCKER_LOGIN - secrethub/env-export: secret-path: company/app/docker/password var-name: DOCKER_PASSWORD install_specific_version: description: | Install a specific version of the SecretHub CLI. usage: jobs: deploy: docker: - image: cimg/base:stable steps: - checkout - secrethub/install: version: 0.35.0 - run: secrethub --version orbs: secrethub: secrethub/cli@x.y.z version: 2.1 workflows: deploy: jobs: - deploy override_shell_other_orbs: description: | Install the SecretHub CLI and set it as the shell on the job level. This way, you can also inject secrets into other orbs. usage: jobs: deploy: environment: AWS_ACCESS_KEY_ID: secrethub://company/app/aws/access_key_id AWS_DEFAULT_REGION: us-east-1 AWS_SECRET_ACCESS_KEY: secrethub://company/app/aws/secret_access_key executor: aws-cli/default shell: secrethub run -- /bin/bash steps: - secrethub/install - checkout - aws-cli/setup orbs: aws-cli: circleci/aws-cli@x.y.z secrethub: secrethub/cli@x.y.z version: 2.1 workflows: deploy: jobs: - deploy override_shell_run_command: description: | Install the SecretHub CLI and set it as the shell on the run command level. The secrets will be loaded on demand and are available during the execution of the command. Secrets that are (accidentally) logged will be masked. usage: jobs: deploy: docker: - image: cimg/base:stable steps: - secrethub/install - checkout - run: command: | echo "This value will be masked: $AWS_ACCESS_KEY_ID" echo "This value will be masked: $AWS_SECRET_ACCESS_KEY" ./deploy-my-app.sh environment: AWS_ACCESS_KEY_ID: secrethub://company/app/aws/access_key_id AWS_SECRET_ACCESS_KEY: secrethub://company/app/aws/secret_access_key shell: secrethub run -- /bin/bash orbs: secrethub: secrethub/cli@x.y.z version: 2.1 workflows: deploy: jobs: - deploy run_command_with_secrets: description: | Use the secrethub/exec command to automatically install the SecretHub CLI, load secrets on demand and execute a command that needs the secrets. Secrets that are (accidentally) logged will be masked. usage: jobs: deploy: docker: - image: cimg/base:stable environment: AWS_ACCESS_KEY_ID: secrethub://company/app/aws/access_key_id AWS_REGION: us-east-1 AWS_SECRET_ACCESS_KEY: secrethub://company/app/aws/secret_access_key steps: - checkout - secrethub/exec: command: | echo "This value will be masked: $AWS_ACCESS_KEY_ID" echo "This value will be masked: $AWS_SECRET_ACCESS_KEY" ./deploy-my-app.sh orbs: secrethub: secrethub/cli@x.y.z version: 2.1 workflows: deploy: jobs: - deploy use_cli: description: | Install the SecretHub CLI and use it in your command. usage: jobs: publish-docker: docker: - image: cimg/base:stable steps: - checkout - setup_remote_docker - secrethub/install - run: | docker login -u $(secrethub read company/app/docker/username) -p $(secrethub read company/app/docker/password) docker build -t company/app:${CIRCLE_SHA1:0:7} . docker push company/app:${CIRCLE_SHA1:0:7} orbs: secrethub: secrethub/cli@x.y.z version: 2.1 workflows: deploy: jobs: - publish-docker version: 2.1
Developer Updates
Get tips to optimize your builds
Or join our research panel and give feedback
By submitting this form, you are agreeing to ourTerms of UseandPrivacy Policy.