Skip to content Burger menu icon
Space logo

The Space Blog

The intelligent code collaboration platform
Try for free
How-To's

Introducing Support for Vault Secrets in Space Automation

Alexey Totin
Alexey Totin

We’ve added support for Vault parameters in Space Automation scripts. What’s this all about? 

Build scripts often need credentials to access external services and resources. Of course, Space provides built-in secret storage for storing various data in an encrypted format. Nevertheless, many companies require more advanced security features, like centralized secret management, dynamic secrets, configurable token TTL, and others. One of the leading solutions for secret storage with these features is HashiCorp Vault.

Read this article to learn how to use Vault secrets in Space Automation.

How to use Vault parameters

  1. First, you need to add a connection to your Vault server in the project settings. Learn more
  2. Now, you can add a parameter on the project’s Secrets & Parameters page. Learn more
  1. Finally, you can use the parameter in your Automation script. Use the same DSL you use to resolve ordinary parameters stored in Space:
job(“Vault Params”) {
    // get vault param in a shell script
    container(displayName = “Show key”, image = “ubuntu”) {
        env[“KEY”] = Params(“access-key”)

        shellScript {
            content = “””
                echo Value from Vault is ${‘$’}KEY
            “””
        }
    }

    // get vault param in Kotlin code
    container(displayName = “Show key”, image = “ubuntu”) {
        env[“KEY”] = Params(access-key”)

        kotlinScript {
            val key = System.getenv(“KEY”)
            println(“””
                Value from Vault is $key
            “””)
        }
    }
}

It’s worth noting that println in the script above doesn’t make any sense, as Automation automatically substitutes secret values with asterisks:

How does it work?

  • Space stores the AppRole ID and Secret in the encrypted storage. The ID and Secret never leave Space.
  • When an Automation job is started, Space requests a short-lived wrapper for the authentication token from Vault.
  • Space doesn’t use the token itself, but passes it to the worker.
  • The worker that runs the job uses the token to get the values. The values never leave the worker.
  • As soon as the worker gets the values, the token is revoked.
  • As mentioned above, if the value is shown in the build log for some reason, Automation detects this and substitutes it with asterisks. With this update, Automation uses asterisks to hide both Vault secrets and standard Space-stored secrets. 

That’s all we wanted to share today. If you use Vault in your projects, please give this feature a try and share your thoughts!

automation newsletter Software Development vault
Prev post Introducing Support for More IntelliJ-Based IDEs in Space Dev EnvironmentsSpace Product Updates in January 2022 Next post
image description

Discover more

Dart and Flutter package repositories in Space

How to Use Dart and Flutter Package Repositories in Space

Easily store, manage, and share Dart & Flutter packages within your organization. Use Space packages to create custom Dart repositories for your packages.

Evgenia Verbina
Evgenia Verbina
How to sign commits with JetBrains Space

Git Commit Signing With JetBrains Space

Learn what signing Git commits is and how JetBrains Space can help you verify Git commit signatures.

Maarten Balliauw
Maarten Balliauw

How To Get Started With Space Cloud Dev Environments

Are you thinking about introducing remote development into your team or organization? Learn how to get started with dev environments in Space.

Maarten Balliauw
Maarten Balliauw
Review Your Code From Anywhere

Space Code Reviews Available From JetBrains IDEs, Space UI, or Mobile

JetBrains Space supports the code review process in its web interface, in your IDE, and on mobile.

Maarten Balliauw
Maarten Balliauw