Space
The intelligent code collaboration platform
Space is pivoting to SpaceCode, focused on Git hosting and code reviews. Learn more →
Introducing Support for Vault Secrets in Space Automation
We’ve added support for Vault parameters in Space Automation scripts. What’s this all about?
Build scripts often need credentials to access external services and resources. Of course, Space provides built-in secret storage for storing various data in an encrypted format. Nevertheless, many companies require more advanced security features, like centralized secret management, dynamic secrets, configurable token TTL, and others. One of the leading solutions for secret storage with these features is HashiCorp Vault.
Read this article to learn how to use Vault secrets in Space Automation.
How to use Vault parameters
- First, you need to add a connection to your Vault server in the project settings. Learn more
- Now, you can add a parameter on the project’s Secrets & Parameters page. Learn more
- Finally, you can use the parameter in your Automation script. Use the same DSL you use to resolve ordinary parameters stored in Space:
job(“Vault Params”) { // get vault param in a shell script container(displayName = “Show key”, image = “ubuntu”) { env[“KEY”] = Params(“access-key”) shellScript { content = “”” echo Value from Vault is ${‘$’}KEY “”” } } // get vault param in Kotlin code container(displayName = “Show key”, image = “ubuntu”) { env[“KEY”] = Params(access-key”) kotlinScript { val key = System.getenv(“KEY”) println(“”” Value from Vault is $key “””) } } } |
It’s worth noting that println
in the script above doesn’t make any sense, as Automation automatically substitutes secret values with asterisks:
How does it work?
- Space stores the AppRole ID and Secret in the encrypted storage. The ID and Secret never leave Space.
- When an Automation job is started, Space requests a short-lived wrapper for the authentication token from Vault.
- Space doesn’t use the token itself, but passes it to the worker.
- The worker that runs the job uses the token to get the values. The values never leave the worker.
- As soon as the worker gets the values, the token is revoked.
- As mentioned above, if the value is shown in the build log for some reason, Automation detects this and substitutes it with asterisks. With this update, Automation uses asterisks to hide both Vault secrets and standard Space-stored secrets.
That’s all we wanted to share today. If you use Vault in your projects, please give this feature a try and share your thoughts!