CI/CD integrations

Keeper Secrets Manager

If you are looking for a scalable solution purpose built for retrieving secrets in production environments, you should use Keeper Secrets Manager. This section is a legacy component that requires a master password to be saved, or a token that must be refreshed at most every 30 days. However, for certain scripts this may work.
Legacy Feature Alert
For proper Secrets Management please see the Keeper Secrets Manager.

Jenkins CI Integration

This example demonstrates retrieving a password in Keeper for use in the Jenkins CI environment.
  1. 1.
    Create a Python virtual environment in the jenkins user home directory and install keepercommander package with pip:
1
[email protected]:~$ python3 -m venv keeper
2
[email protected]:~/$ cd keeper
3
[email protected]:~/$ . bin/activate
4
(keeper)[email protected]:~/keeper$ pip install keepercommander
Copied!
  1. 1.
    Login to Commander with the account you are planning to use with Jenkins. Authenticate with Keeper Commander on the command-line in order to provide a two-factor code if the account has 2FA protection enabled.
1
(keeper)[email protected]:~/keeper$ keeper [email protected] -- shell
2
My Vault> q
Copied!
  1. 1.
    Add the Keeper user account to Jenkins Credentials configuration:
  • Credential Kind: Username with password
  • Password: [Password]
  • ID: Keeper
1
node {
2
environment {
3
PASSWORD='' // define environment variable
4
}
5
stage('Load') {
6
// change working directory to keeper venv
7
dir("/var/jenkins_home/keeper") {
8
// load Keeper credentials into environmenmt variables. Commander uses KEEPER_PASSWORD variable if set
9
withCredentials([usernamePassword(credentialsId: 'Keeper', usernameVariable: 'KEEPER_USERNAME', passwordVariable: 'KEEPER_PASSWORD')]) {
10
// retrieve the password
11
env.PASSWORD = sh(script: ". bin/activate; keeper --user=${KEEPER_USERNAME} get --format=password <Record UID>", returnStdout: true).trim()
12
}
13
}
14
}
15
stage('Run') {
16
echo "${env.PASSWORD}"
17
}
18
}
Copied!
In this example, replace the Record UID with the actual UID from the Keeper vault. To locate the Record UID see this section.

GitHub Actions Integration

This example demonstrates retrieving a password in Keeper for user in GitHub Actions environment
  1. 1.
    Generate configuration file
    • On your local machine, login to Keeper with the account you will be using in GitHub Actions. In our example we will use [email protected]. Make sure to disable 2FA for this account.
      1
      keeper shell --user [email protected]
      Copied!
    • Edit config file
      In your current directory where keeper command ran you should see a newly generated config file config.json. Modify this file by adding password that was used to login. This is the sample of the config file:
      1
      {
      2
      "user": "[email protected]",
      3
      "password": "M4yTh4F0rc3Bw1thU!",
      4
      "private_key": "upemV2551Nc-oOw6DbqBzAXphOw46BBW19Rw7auXhzY",
      5
      "device_token": "kDbya3s-pco6N7n5mKBqSgUyQMCv9QVim4gh177zBJ11Pg"
      6
      }
      Copied!
  2. 2.
    GitHub Actions Workflow configuration
    In your GitHub Actions workflow add following steps
    • Install Keeper Commander
    • Add config.json to the home folder from where Commander's commands will be executed. See note below on the best practices on how to secure the config file.
    • Call Commander's commands
    Example Github Actions workflow code:
    1
    name: Commander In GitHub Actions
    2
    on:
    3
    push:
    4
    branches: [ main ]
    5
    pull_request:
    6
    branches: [ main ]
    7
    workflow_dispatch:
    8
    jobs:
    9
    build:
    10
    runs-on: ubuntu-latest
    11
    steps:
    12
    - uses: actions/[email protected]
    13
    - uses: actions/[email protected]
    14
    with:
    15
    python-version: '3.9'
    16
    architecture: 'x64'
    17
    - name: Install Keeper Commander
    18
    run: |
    19
    pip install keepercommander
    20
    21
    - name: Setup Config File
    22
    env:
    23
    COMMANDER_CONFIG_JSON: ${{ secrets.COMMANDER_CONFIG_JSON }}
    24
    shell: bash
    25
    run: 'echo "$COMMANDER_CONFIG_JSON" > config.json'
    26
    - name: Example calling Keeper
    27
    run: |
    28
    keeper "ls -l"
    29
    keeper this-device
    Copied!
Note to secure config file: Config file that was generated in the step #1 can be stored in Actions secrets (Settings -> Secrets -> Repository secrets) as a JSON string in the value field. Later on this json will be retrieved and stored in the config.json, as it is shown in the "Setup Config File" step above.
1
- name: Setup Config File
2
env:
3
COMMANDER_CONFIG_JSON: ${{ secrets.COMMANDER_CONFIG_JSON }}
4
shell: bash
5
run: 'echo "$COMMANDER_CONFIG_JSON" > config.json'
Copied!

Azure DevOps Pipeline Integration

This example demonstrates retrieving a password in Keeper for user in Azure DevOps Pipeline
  1. 1.
    Generate configuration file
    See Step 1 in GitHub Actions Integration example.
  2. 2.
    Azure DevOps Pipeline configuration
    In your GitHub Actions workflow add following steps
    • Install Keeper Commander
    • Add config.json to the home folder from where Commander's commands will be executed.
    • Call Commander's commands
    Example Azure DevOps Pipeline code:
    1
    trigger:
    2
    - main
    3
    4
    pool:
    5
    vmImage: ubuntu-latest
    6
    7
    steps:
    8
    10
    inputs:
    11
    versionSpec: '3.7'
    12
    addToPath: true
    13
    architecture: 'x64'
    14
    16
    name: secureKeeperConfig
    17
    displayName: Download Keeper config file
    18
    inputs:
    19
    secureFile: config.json
    20
    21
    - displayName: Install Keeper Commander
    22
    script: |
    23
    pip3 install keepercommander
    24
    25
    - displayName: 'Example calling Keeper'
    26
    script: |
    27
    export KEEPER_CONFIG_FILE=$(keeperConfig.secureFilePath)
    28
    keeper whoami
    29
    keeper "ls -l"
    Copied!
See this document on how to securely store files in Azure DevOps Pipeline
Last modified 4mo ago