21 lines
827 B
YAML
21 lines
827 B
YAML
image: vault:latest
|
|
|
|
variables:
|
|
SKIP_SETCAP: 'true'
|
|
|
|
read_secrets:
|
|
script:
|
|
# Check job's ref name
|
|
- echo $CI_COMMIT_REF_NAME
|
|
# and is this ref protected
|
|
- echo $CI_COMMIT_REF_PROTECTED
|
|
# Vault's address can be provided here or as CI/CD variable
|
|
- export VAULT_ADDR=https://vault.ducoterra.net
|
|
# Authenticate and get token. Token expiry time and other properties can be configured
|
|
# when configuring JWT Auth - https://www.vaultproject.io/api/auth/jwt#parameters-1
|
|
- export VAULT_TOKEN="$(vault write -field=token auth/jwt/login role=myproject-production jwt=$CI_JOB_JWT)"
|
|
# Now use the VAULT_TOKEN to read the secret and store it in environment variable
|
|
- export PASSWORD="$(vault kv get -field=password secret/myproject/production/db)"
|
|
# Use the secret
|
|
- echo $PASSWORD
|