A secret extension to A secret extension that provides optional support for sourcing secrets from Azure Key Vault. Please note this project requires Drone server version 1.4 or higher.

Installation

Create a shared secret:

$ openssl rand -hex 16
bea26a2221fd8090ea38720fc445eca6

Download and run the plugin:

$ docker run -d \
  --publish=3000:3000 \
  --env=DRONE_DEBUG=true \
  --env=DRONE_SECRET=bea26a2221fd8090ea38720fc445eca6 \
  --env=AZURE_TENANT_ID=$AZURE_TENANT_ID \
  --env=AZURE_CLIENT_ID=$AZURE_CLIENT_ID \
  --env=AZURE_CLIENT_SECRET=$AZURE_CLIENT_SECRET \
  --restart=always \
  --name=secrets <docker_repo>/drone-azure-key-vault

Update your runner configuration to include the plugin address and the shared secret.

DRONE_SECRET_PLUGIN_ENDPOINT=http://1.2.3.4:3000
DRONE_SECRET_PLUGIN_TOKEN=bea26a2221fd8090ea38720fc445eca6

Azure Key Vault

Azure Key Vault is a tool for securely storing and accessing secrets. The Azure Key Vault extension provides your pipeline with access to Azure Key Vault secrets.

Required Azure environment variables

  • AZURE_TENANT_ID: Specifies the Tenant to which to authenticate.

  • AZURE_CLIENT_ID: Specifies the app client ID to use.

  • AZURE_CLIENT_SECRET: Specifies the app secret to use.

The app client specified in the environment variables needs to have READ access to the Key Vaults which are going to be accessed in the pipelines.

Creating secrets

Use the Azure CLI to create secrets in the Key Vault. In the below example we store the Docker username and password.

$ az keyvault secret set --vault-name vault-dev --name docker-username --value user
$ az keyvault secret set --vault-name vault-dev --name docker-password --value pass

Accessing the secrets

Once the secrets are stored in Azure key vault, we can update the yaml configuration to use those secrets. To access them, first we need to define a secret resource for each external secret:

---
kind: secret
name: docker-username
get:
  path: vault-dev
  name: docker-username

---
kind: secret
name: docker-password
get:
  path: vault-dev
  name: docker-password

The path to the secret is the Azure Key Vault name, and name is the secret name we want to fetch from the Key Vault.

Referencing them in the yaml configuration:

kind: pipeline
name: default

steps:
- name: build
  image: alpine
  environment:
    DOCKER_USERNAME:
      from_secret: docker-username
    DOCKER_PASSWORD:
      from_secret: docker-password

---
kind: secret
name: docker-username
get:
  path: vault-dev
  name: docker-username

---
kind: secret
name: docker-password
get:
  path: vault-dev
  name: docker-password

...

Limiting access

Secrets are available to all repositories and all build events by default.

Limiting the access works in the same way as for the other Drone external secrets plugin. More details can be found here.

Note: The access is limited at a Vault level currently.

Example: Limiting the Key Vault secrets to be used in a single repository

$ az keyvault secret set --vault-name vault-dev --name x-drone-repos --value octocat/hello-world