GitLab
Keeper Secrets Manager integration into GitLab for dynamic secrets retrieval
Features
Retrieve secrets from the Keeper Vault within the GitLab Pipeline
Set secret credentials as build arguments or environment variables
Copy secure files from the Keeper Vault
For a complete list of Keeper Secrets Manager features see the Overview
Prerequisites
This page documents the Secrets Manager GitLab integration. In order to utilize this integration, you will need:
Keeper Secrets Manager access (See the Quick Start Guide for more details)
Secrets Manager addon enabled for your Keeper account
Membership in a Role with the Secrets Manager enforcement policy enabled
A Keeper Secrets Manager Application with secrets shared to it
See the Quick Start Guide for instructions on creating an Application
An initialized Keeper Secrets Manager Configuration
The GitLab integration accepts JSON and Base64 format configurations
A GitLab account with Pipeline creation access
Python3 installed to the GitLab Pipeline job
About
This action securely retrieves secrets from Keeper and places them to the desired destination of the GitLab Pipeline such as an environment variable or file.
Setup
Save Configuration as a Secret Variable
A keeper Secrets Manager configuration is required to utilize the GitLab integration.
1) Create a Keeper Secrets Manager Configuration. See the documentation for details. The GitLab integration supports Base64 and JSON configurations.
2) To save the configuration in GitLab, navigate to GitLab Settings -> CI/CD -> Variables
3) Create a new variable. Key can be set to any name for the variable (use KSM_CONFIG to have the SDKs automatically recognize the configuration). Set Value as the Secrets Manager configuration in Base64 or JSON format.
Use KSM_CONFIG
as the variable name to have Secrets Manager SDKs automatically recognize the configuration variable
After creating the variable, you should see it in your GitLab variables as shown below.
Keeper Secrets Manager GitLab Integration setup is complete
Usage
Prepare the Pipeline for Secrets Manager
In order to use Keeper Secrets Manager with GitLab, first we need to install it from the PyPi registry. This can be achieved by adding following line to the before_script
area:
If you did not set the Secrets Manager Configuration variable to the name KSM_CONFIG
you need to set it here in the before_script
area
Get Secrets
Inside the GitLab job, retrieve a secrets from the Keeper Vault using the following format:
This utilizes the KSM CLI tool to get secrets using Keeper Notation.
After getting a secret, you can set it as an environment variable or file.
Set Secret as Environment Variable
Use - export <VARIABLE NAME>=$(ksm secret notation <KEEPER NOTATION>)
to set a secret to an environment variable
Example:
The following job sets a password secret as an environment variable named MY_PWD
and a custom 'isbncode' record field to the environment variable named MY _ISBNCODE
Replace XXX
with a record UID in the above example.
Keeper Secrets Manager can be used in any job stage. This example uses the build
stage.
Create a File from a Secret
Use - ksm secret download -u <UID> --name <SECRET FILENAME> --file-output "<OUTPUT FILENAME>"
to get a file from the Keeper Vault and save it as a file to your GitLab Pipeline job.
Example:
The following job gets a file named "mykey.pub" that is attached to a Keeper record and saves its contents into file name "mykey.pub" in the local "tmp" folder
Replace XXX
with a record UID in the above example.
Keeper Secrets Manager can be used in any job stage. This example uses the build
stage.
Complete Example
The example below shows all available functionality of this integration
Replace XXX
in the example above with a record UID.
Last updated