Question: How to import secrets into steps safely

Question

Question: How to import secrets into steps safely

luke-riu opened this issue 4 years ago · 5 comments

In my config I have a token called service_key
I have a step something like this:

- name: firebase_secret
      envs:
        SERVICE_KEY: service_key
      bash: |
        sh ${FLOWCI_GIT_REPO}/secret_script.sh ${SERVICE_KEY}

but the input parameter in the script just receives "service_key" as a value, rather than the actual value stored in the secrets.
How do I get the actual secret into the script?
Thanks

Answer 1 · 2021-03-21T13:42:40.000Z

the current version doesn't support gain a secret key from envs, this feature is under development, it will be included in next release.

you could use flow.ci api to get actual secret value as workaround, ex:

your_secret = $(curl -X GET "${FLOWCI_SERVER_URL}/api/secret/test-token-2" -H "AGENT-TOKEN: ${FLOWCI_AGENT_TOKEN}" -s | python3 -c "import sys, json; print(json.load(sys.stdin)['data']['token']['data'])")

echo $your_secret

if python not available in your agent environment

your_secret = $(curl -X GET "${FLOWCI_SERVER_URL}/api/secret/test-token-2" -H "AGENT-TOKEN: ${FLOWCI_AGENT_TOKEN}" -s | grep -Eo '"data"[^,]*}' | sed 's/"data":"//; s/"}}}//')

echo $your_secret

Answer 2 · 2021-03-21T14:15:25.000Z

Ah that's excellent news. Thanks 😊

Answer 3 · 2021-05-19T16:43:04.000Z

Hi. I was wondering if this was resolved in the latest release. Thanks.

Answer 4 · 2021-05-20T20:19:51.000Z

yes, here is an example, you could ref the secret from YAML block secrets, and use it as an environment variable

  - name: test
    docker:
      image: flowci/debian-git
    secrets:
      - 'test_token'
    bash: |
      echo ${test_token}

Answer 5 · 2021-05-20T21:17:47.000Z

Perfect. Thank you :)