Version 1.0.0
Language EN

Configuration in Vault

HashiCorp Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. The Vault plugin allows you to access Vault secret from your pipeline.

Example Vault secret:

$ vault kv put secret/docker \
    username=octocat \
    password=correct-horse-battery-staple

Security

Secrets are available to all repositories and all build events by default. We strongly recommend that you limit access to secrets by repository and build events. This can be done by adding special properties:

$ vault kv put secret/docker \
    username=octocat \
    password=correct-horse-battery-staple \
    x-drone-events=push,tag \
    x-drone-repos=octocat/*,spaceghost/*

Limit By Repository

You can use the X-Drone-Repos annotation to limit which repositories can access your global Kubernetes secret. The annotation accepts a comma-separate list of glob patterns. If a repository name matches at least one of the patterns, it is granted access to the secret.

Limit access to a single repository:

$ vault kv put secret/docker \
    username=octocat \
    password=correct-horse-battery-staple \
    x-drone-repos=octocat/hello-world

Limit access to all repositories in an organization:

$ vault kv put secret/docker \
    username=octocat \
    password=correct-horse-battery-staple \
    x-drone-repos=octocat/*

Limit access to muliptle repositories or organizations:

$ vault kv put secret/docker \
    username=octocat \
    password=correct-horse-battery-staple \
    x-drone-repos=octocat/*,spaceghost/*

Limit By Event

You can use the X-Drone-Events annotation to limit which build events can access your global Kubernetes secret. The annotation is a comma-separate list of events. If a build matches at least one of the events, it is granted access to the secret.

Limit access to push and tag events:

$ vault kv put secret/docker \
    username=octocat \
    password=correct-horse-battery-staple \
    x-drone-events=push,tag

You can combine annotations to limit by repository and event:

$ vault kv put secret/docker \
    username=octocat \
    password=correct-horse-battery-staple \
    x-drone-events=push,tag \
    x-drone-repos=octocat/*,spaceghost/*

On This Page:

Getting Help

Mailing List
Search for information in the mailing list archives, or post a question.
Chat Support
Real-time chat support from maintainers and community members.