GitLab
Keeper Secrets Manager integration into GitLab for dynamic secrets retrieval
- Retrieve secrets from the Keeper Vault within the GitLab Pipeline
- Set secret credentials as build arguments or environment variables
- Copy secure files from the Keeper Vault
This page documents the Secrets Manager GitLab integration. In order to utilize this integration, you will need:
- Secrets Manager addon enabled for your Keeper account
- Membership in a Role with the Secrets Manager enforcement policy enabled
- The GitLab integration accepts JSON and Base64 format configurations
- A GitLab account with Pipeline creation access
- Python3 installed to the GitLab Pipeline job
This action securely retrieves secrets from Keeper and places them to the desired destination of the GitLab Pipeline such as an environment variable or file.
1) Create a Keeper Secrets Manager Configuration. See the documentation for details. The GitLab integration supports Base64 and JSON configurations.
2) To save the configuration in GitLab, navigate to GitLab Settings -> CI/CD -> Variables
3) Create a new variable. Key can be set to any name for the variable (use KSM_CONFIG to have the SDKs automatically recognize the configuration). Set Value as the Secrets Manager configuration in Base64 or JSON format.
Use
KSM_CONFIG as the variable name to have Secrets Manager SDKs automatically recognize the configuration variable
After creating the variable, you should see it in your GitLab variables as shown below.
Keeper Secrets Manager GitLab Integration setup is complete
In order to use Keeper Secrets Manager with GitLab, first we need to install it from the PyPi registry. This can be achieved by adding following line to the
before_script area:before_script:
- python3 -m pip install keeper-secrets-manager-cli
If you did not set the Secrets Manager Configuration variable to the name
KSM_CONFIG you need to set it here in the before_script area - export KSM_CONFIG=$<SECRETS MANAGER CONFIG VARIABLE>
Inside the GitLab job, retrieve a secrets from the Keeper Vault using the following format:
$(ksm secret notation <KEEPER NOTATION>)
After getting a secret, you can set it as an environment variable or file.
Use
- export <VARIABLE NAME>=$(ksm secret notation <KEEPER NOTATION>) to set as secret to an environment variableExample:
The following job sets a password secret as an environment variable named
MY_PWD and a custom 'isbncode' record field to the environment variable named MY _ISBNCODEjob1:
stage: build
script:
- export MY_PWD=$(ksm secret notation keeper://XXX/field/password)
- export MY_ISBNCODE=$(ksm secret notation keeper://XXX/custom_field/isbncode)
Replace
XXX with a record UID in the above example.Keeper Secrets Manager can be used in any job stage. This example uses the
build stage.Use
- ksm secret download -u <UID> --name <SECRET FILENAME> --file-output "<OUTPUT FILENAME>" to get a file from the Keeper Vault and save it as a file to your GitLab Pipeline job.Example:
The following job gets a file named "mykey.pub" that is attached to a Keeper record and saves its contents into file name "mykey.pub" in the local "tmp" folder
job1:
stage: build
script:
- ksm secret download -u XXX --name "mykey.pub" --file-output "/tmp/mykey.pub"
Replace
XXX with a record UID in the above example.Keeper Secrets Manager can be used in any job stage. This example uses the
build stage.The example below shows all available functionality of this integration
image: python:latest
before_script:
- python3 -m pip install keeper-secrets-manager-cli
job1:
stage: build
script:
- export MY_PWD=$(ksm secret notation keeper://XXX/field/password)
- export MY_ISBNCODE=$(ksm secret notation keeper://XXX/custom_field/isbncode)
- ksm secret download -u XXX--name "mykey.pub" --file-output "/tmp/mykey.pub"
- file /tmp/mykey.pub
Replace
XXX in the example above with a record UID.
Last modified 10mo ago