Use CircleCI version 2.1 at the top of your .circleci/config.yml file.
1
version: 2.1
Add the orbs
stanza below your version, invoking the orb:
1
2
orbs:
cli: secrethub/cli@1.1.0
Use cli
elements in your existing workflows and jobs.
Opt-in to use of uncertified orbs on your organization’s Security settings page.
Use the secrethub/env-export command to load a secret and make it available as an environment variable for next steps in the job. This is useful for providing an orb job with secrets as pre-step to the job. Note: Unlike the secrethub/exec command, the secrethub/env-export does NOT mask secrets from the logs.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
orbs:
docker: circleci/docker@x.y.z
secrethub: secrethub/cli@x.y.z
version: 2.1
workflows:
publish:
jobs:
- docker/publish:
image: company/app
pre-steps:
- secrethub/export-env:
secret-path: company/app/docker/username
var-name: DOCKER_LOGIN
- secrethub/env-export:
secret-path: company/app/docker/password
var-name: DOCKER_PASSWORD
Install a specific version of the SecretHub CLI.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
jobs:
deploy:
docker:
- image: cimg/base:stable
steps:
- checkout
- secrethub/install:
version: 0.35.0
- run: secrethub --version
orbs:
secrethub: secrethub/cli@x.y.z
version: 2.1
workflows:
deploy:
jobs:
- deploy
Install the SecretHub CLI and set it as the shell on the job level. This way, you can also inject secrets into other orbs.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
jobs:
deploy:
environment:
AWS_ACCESS_KEY_ID: secrethub://company/app/aws/access_key_id
AWS_DEFAULT_REGION: us-east-1
AWS_SECRET_ACCESS_KEY: secrethub://company/app/aws/secret_access_key
executor: aws-cli/default
shell: secrethub run -- /bin/bash
steps:
- secrethub/install
- checkout
- aws-cli/setup
orbs:
aws-cli: circleci/aws-cli@x.y.z
secrethub: secrethub/cli@x.y.z
version: 2.1
workflows:
deploy:
jobs:
- deploy
Install the SecretHub CLI and set it as the shell on the run command level. The secrets will be loaded on demand and are available during the execution of the command. Secrets that are (accidentally) logged will be masked.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
jobs:
deploy:
docker:
- image: cimg/base:stable
steps:
- secrethub/install
- checkout
- run:
command: |
echo "This value will be masked: $AWS_ACCESS_KEY_ID"
echo "This value will be masked: $AWS_SECRET_ACCESS_KEY"
./deploy-my-app.sh
environment:
AWS_ACCESS_KEY_ID: secrethub://company/app/aws/access_key_id
AWS_SECRET_ACCESS_KEY: secrethub://company/app/aws/secret_access_key
shell: secrethub run -- /bin/bash
orbs:
secrethub: secrethub/cli@x.y.z
version: 2.1
workflows:
deploy:
jobs:
- deploy
Use the secrethub/exec command to automatically install the SecretHub CLI, load secrets on demand and execute a command that needs the secrets. Secrets that are (accidentally) logged will be masked.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
jobs:
deploy:
docker:
- image: cimg/base:stable
environment:
AWS_ACCESS_KEY_ID: secrethub://company/app/aws/access_key_id
AWS_REGION: us-east-1
AWS_SECRET_ACCESS_KEY: secrethub://company/app/aws/secret_access_key
steps:
- checkout
- secrethub/exec:
command: |
echo "This value will be masked: $AWS_ACCESS_KEY_ID"
echo "This value will be masked: $AWS_SECRET_ACCESS_KEY"
./deploy-my-app.sh
orbs:
secrethub: secrethub/cli@x.y.z
version: 2.1
workflows:
deploy:
jobs:
- deploy
Install the SecretHub CLI and use it in your command.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
jobs:
publish-docker:
docker:
- image: cimg/base:stable
steps:
- checkout
- setup_remote_docker
- secrethub/install
- run: >
docker login -u $(secrethub read company/app/docker/username) -p
$(secrethub read company/app/docker/password)
docker build -t company/app:${CIRCLE_SHA1:0:7} .
docker push company/app:${CIRCLE_SHA1:0:7}
orbs:
secrethub: secrethub/cli@x.y.z
version: 2.1
workflows:
deploy:
jobs:
- publish-docker
Load a secret and make it available as an environment variable for next steps in the job. Note: Unlike the secrethub/exec command, secrethub/env-export does NOT mask secrets from the logs.
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
secret-path | Path where the secret is stored on SecretHub | Yes | - | string |
var-name | Name of the environment variable to populate with the secret | Yes | - | string |
version | Version of the SecretHub CLI | No | 0.38.0 | string |
Run a command with secret environment variables loaded from SecretHub
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
command | Command to execute with secrets | Yes | - | string |
flags | Flags to pass to the `secrethub run` command | No | '' | string |
step-name | Title of the step to show in the CircleCI UI | No | '' | string |
version | Version of the SecretHub CLI | No | 0.38.0 | string |
Install the SecretHub CLI.
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
path | Path to install SecretHub CLI to | No | /usr/local/bin | string |
shell | The shell used to run the install script | No | /bin/sh | string |
version | Version of the SecretHub CLI | No | 0.36.0 | string |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
# This code is licensed from CircleCI to the user under the MIT license.
# See here for details: https://circleci.com/developer/orbs/licensing
commands:
env-export:
description: |
Load a secret and make it available as an environment variable for next steps in the job. Note: Unlike the secrethub/exec command, secrethub/env-export does NOT mask secrets from the logs.
parameters:
secret-path:
description: Path where the secret is stored on SecretHub
type: string
var-name:
description: Name of the environment variable to populate with the secret
type: string
version:
default: 0.38.0
description: Version of the SecretHub CLI
type: string
steps:
- install:
version: << parameters.version >>
- run:
command: |
random_heredoc_identifier=$(cat /dev/urandom | env LC_ALL=C tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1) || true
printf 'export << parameters.var-name >>=$(cat \<<' >> $BASH_ENV
printf "${random_heredoc_identifier}\n" >> $BASH_ENV
secrethub read << parameters.secret-path >> >> $BASH_ENV
printf "${random_heredoc_identifier}\n)\n" >> $BASH_ENV
environment:
SECRETHUB_APP_INFO_NAME: secrethub-circleci-orb
SECRETHUB_APP_INFO_VERSION: 1.1.0
name: Load secret << parameters.var-name >>
exec:
description: Run a command with secret environment variables loaded from SecretHub
parameters:
command:
description: Command to execute with secrets
type: string
flags:
default: ""
description: Flags to pass to the `secrethub run` command
type: string
step-name:
default: ""
description: Title of the step to show in the CircleCI UI
type: string
version:
default: 0.38.0
description: Version of the SecretHub CLI
type: string
steps:
- install:
version: << parameters.version >>
- run:
command: secrethub run << parameters.flags >> -- $SHELL -c '<< parameters.command >>'
environment:
SECRETHUB_APP_INFO_NAME: secrethub-circleci-orb
SECRETHUB_APP_INFO_VERSION: 1.1.0
SECRETHUB_RUN_NO_PROMPT: true
name: << parameters.step-name >>
install:
description: |
Install the SecretHub CLI.
parameters:
path:
default: /usr/local/bin
description: Path to install SecretHub CLI to
type: string
shell:
default: /bin/sh
description: The shell used to run the install script
type: string
version:
default: 0.36.0
description: Version of the SecretHub CLI
type: string
steps:
- run:
command: |4
set -e
# Colors
NO_COLOR="\033[0m"
OK_COLOR="\033[32;01m"
ERROR_COLOR="\033[31;01m"
WARN_COLOR="\033[33;01m"
# Detect Architecture
ARCH=amd64
if [ $(getconf LONG_BIT) = 32 ]; then
ARCH=386
fi
# Detect OS
UNAME=$(uname)
if [ "$UNAME" = "Darwin" ]; then
OS=darwin
elif [ "$UNAME" = "Linux" ]; then
OS=linux
else
echo -e "${ERROR_COLOR}Cannot determine OS type. Exiting...${NO_COLOR}"
exit;
fi
# Make sure we have root priviliges.
SUDO=""
if [ $(id -u) -ne 0 ]; then
if ! [ $(command -v sudo) ]; then
echo -e "${ERROR_COLOR}Installer requires root privileges. Please run this script as root.${NO_COLOR}"
exit;
fi
SUDO="sudo"
fi
echo -e "${OK_COLOR}==> Creating directories${NO_COLOR}"
$SUDO mkdir -p /usr/local/secrethub/bin
if [ "${SECRETHUB_CLI_VERSION:-latest}" != "latest" ]; then
VERSION=v${SECRETHUB_CLI_VERSION}
else
# Retrieve latest version
echo -e "${OK_COLOR}==> Retrieving latest version${NO_COLOR}"
VERSION=$(curl --silent "https://api.github.com/repos/secrethub/secrethub-cli/releases/latest" | grep tag_name | awk -F\" '{ print $4 }')
fi
# Exit if version is already installed
if command -v secrethub >/dev/null 2>&1 && secrethub --version 2>&1 | cut -d "," -f 1 | grep -q "$(echo $VERSION | cut -c 2-)$"; then
echo -e "${OK_COLOR}==> Version ${VERSION} is already installed${NO_COLOR}"
exit 0
fi
echo -e "${OK_COLOR}==> Downloading version ${VERSION}${NO_COLOR}"
ARCHIVE_NAME=secrethub-$VERSION-$OS-$ARCH
LINK_TAR=https://github.com/secrethub/secrethub-cli/releases/download/$VERSION/$ARCHIVE_NAME.tar.gz
curl -fsSL $LINK_TAR | $SUDO tar -xz -C /usr/local/secrethub;
# symlink in the PATH
$SUDO ln -sf /usr/local/secrethub/bin/secrethub /usr/local/bin/secrethub
environment:
SECRETHUB_CLI_VERSION: << parameters.version >>
name: Ensure SecretHub CLI is installed
shell: << parameters.shell >>
description: |
Load secrets from SecretHub into your CircleCI jobs.
To authenticate, create a SecretHub service account with read access and configure the credential as "SECRETHUB_CREDENTIAL" in your CircleCI project settings or Context environment variables.
More info: https://secrethub.io/docs/reference/cli/service/
display:
home_url: https://secrethub.io/
source_url: https://github.com/secrethub/secrethub-circleci-orb
examples:
env_export_command:
description: |
Use the secrethub/env-export command to load a secret and make it available as an environment variable for next steps in the job. This is useful for providing an orb job with secrets as pre-step to the job.
Note: Unlike the secrethub/exec command, the secrethub/env-export does NOT mask secrets from the logs.
usage:
orbs:
docker: circleci/docker@x.y.z
secrethub: secrethub/cli@x.y.z
version: 2.1
workflows:
publish:
jobs:
- docker/publish:
image: company/app
pre-steps:
- secrethub/export-env:
secret-path: company/app/docker/username
var-name: DOCKER_LOGIN
- secrethub/env-export:
secret-path: company/app/docker/password
var-name: DOCKER_PASSWORD
install_specific_version:
description: |
Install a specific version of the SecretHub CLI.
usage:
jobs:
deploy:
docker:
- image: cimg/base:stable
steps:
- checkout
- secrethub/install:
version: 0.35.0
- run: secrethub --version
orbs:
secrethub: secrethub/cli@x.y.z
version: 2.1
workflows:
deploy:
jobs:
- deploy
override_shell_other_orbs:
description: |
Install the SecretHub CLI and set it as the shell on the job level. This way, you can also inject secrets into other orbs.
usage:
jobs:
deploy:
environment:
AWS_ACCESS_KEY_ID: secrethub://company/app/aws/access_key_id
AWS_DEFAULT_REGION: us-east-1
AWS_SECRET_ACCESS_KEY: secrethub://company/app/aws/secret_access_key
executor: aws-cli/default
shell: secrethub run -- /bin/bash
steps:
- secrethub/install
- checkout
- aws-cli/setup
orbs:
aws-cli: circleci/aws-cli@x.y.z
secrethub: secrethub/cli@x.y.z
version: 2.1
workflows:
deploy:
jobs:
- deploy
override_shell_run_command:
description: |
Install the SecretHub CLI and set it as the shell on the run command level. The secrets will be loaded on demand and are available during the execution of the command. Secrets that are (accidentally) logged will be masked.
usage:
jobs:
deploy:
docker:
- image: cimg/base:stable
steps:
- secrethub/install
- checkout
- run:
command: |
echo "This value will be masked: $AWS_ACCESS_KEY_ID"
echo "This value will be masked: $AWS_SECRET_ACCESS_KEY"
./deploy-my-app.sh
environment:
AWS_ACCESS_KEY_ID: secrethub://company/app/aws/access_key_id
AWS_SECRET_ACCESS_KEY: secrethub://company/app/aws/secret_access_key
shell: secrethub run -- /bin/bash
orbs:
secrethub: secrethub/cli@x.y.z
version: 2.1
workflows:
deploy:
jobs:
- deploy
run_command_with_secrets:
description: |
Use the secrethub/exec command to automatically install the SecretHub CLI, load secrets on demand and execute a command that needs the secrets. Secrets that are (accidentally) logged will be masked.
usage:
jobs:
deploy:
docker:
- image: cimg/base:stable
environment:
AWS_ACCESS_KEY_ID: secrethub://company/app/aws/access_key_id
AWS_REGION: us-east-1
AWS_SECRET_ACCESS_KEY: secrethub://company/app/aws/secret_access_key
steps:
- checkout
- secrethub/exec:
command: |
echo "This value will be masked: $AWS_ACCESS_KEY_ID"
echo "This value will be masked: $AWS_SECRET_ACCESS_KEY"
./deploy-my-app.sh
orbs:
secrethub: secrethub/cli@x.y.z
version: 2.1
workflows:
deploy:
jobs:
- deploy
use_cli:
description: |
Install the SecretHub CLI and use it in your command.
usage:
jobs:
publish-docker:
docker:
- image: cimg/base:stable
steps:
- checkout
- setup_remote_docker
- secrethub/install
- run: |
docker login -u $(secrethub read company/app/docker/username) -p $(secrethub read company/app/docker/password)
docker build -t company/app:${CIRCLE_SHA1:0:7} .
docker push company/app:${CIRCLE_SHA1:0:7}
orbs:
secrethub: secrethub/cli@x.y.z
version: 2.1
workflows:
deploy:
jobs:
- publish-docker
version: 2.1