Last updated
Last updated
Retrieve secrets from the Keeper Vault within the GitLab Pipeline
Set secret credentials as build arguments or environment variables
Copy secure files from the Keeper Vault
This page documents the Secrets Manager GitLab integration. In order to utilize this integration, you will need:
Secrets Manager addon enabled for your Keeper account
Membership in a Role with the Secrets Manager enforcement policy enabled
The GitLab integration accepts JSON and Base64 format configurations
A GitLab account with Pipeline creation access
Python3 installed to the GitLab Pipeline job
This action securely retrieves secrets from Keeper and places them to the desired destination of the GitLab Pipeline such as an environment variable or file.
2) To save the configuration in GitLab, navigate to GitLab Settings -> CI/CD -> Variables
3) Create a new variable. Key can be set to any name for the variable (use KSM_CONFIG to have the SDKs automatically recognize the configuration). Set Value as the Secrets Manager configuration in Base64 or JSON format.
Use KSM_CONFIG
as the variable name to have Secrets Manager SDKs automatically recognize the configuration variable
After creating the variable, you should see it in your GitLab variables as shown below.
Keeper Secrets Manager GitLab Integration setup is complete
In order to use Keeper Secrets Manager with GitLab, first we need to install it from the PyPi registry. This can be achieved by adding following line to the before_script
area:
If you did not set the Secrets Manager Configuration variable to the name KSM_CONFIG
you need to set it here in the before_script
area
Inside the GitLab job, retrieve a secrets from the Keeper Vault using the following format:
After getting a secret, you can set it as an environment variable or file.
Use - export <VARIABLE NAME>=$(ksm secret notation <KEEPER NOTATION>)
to set a secret to an environment variable
Example:
The following job sets a password secret as an environment variable named MY_PWD
and a custom 'isbncode' record field to the environment variable named MY _ISBNCODE
Replace XXX
with a record UID in the above example.
Keeper Secrets Manager can be used in any job stage. This example uses the build
stage.
Use - ksm secret download -u <UID> --name <SECRET FILENAME> --file-output "<OUTPUT FILENAME>"
to get a file from the Keeper Vault and save it as a file to your GitLab Pipeline job.
Example:
The following job gets a file named "mykey.pub" that is attached to a Keeper record and saves its contents into file name "mykey.pub" in the local "tmp" folder
Replace XXX
with a record UID in the above example.
Keeper Secrets Manager can be used in any job stage. This example uses the build
stage.
The example below shows all available functionality of this integration
Replace XXX
in the example above with a record UID.
For a complete list of Keeper Secrets Manager features see the
Keeper Secrets Manager access (See the for more details)
A Keeper with secrets shared to it
See the for instructions on creating an Application
An initialized Keeper
A keeper is required to utilize the GitLab integration.
1) Create a Keeper Secrets Manager Configuration. See the for details. The GitLab integration supports Base64 and JSON configurations.
This utilizes the to get secrets using .
Keeper Secrets Manager integration into GitLab for dynamic secrets retrieval