Features News Plugins

New in TeamCity: Remote Parameters and Updated HashiCorp Vault Plugin

When configuring a CI/CD pipeline, you may need to obtain secrets from a third party. This could be necessary to connect with an external service crucial for your pipeline or to secure the deployment of your application with the required confidential information.

You can store all of these secrets as secure parameters in TeamCity. However, you might need an extra layer of security. For these purposes, people use remote secret management tools such as HashiCorp Vault.

TeamCity has offered an integration with HashiCorp Vault via a plugin for a while. Recently, we’ve updated the way that the plugin is configured, making it much easier and quicker to use. 

Let’s take a closer look at what’s new.

What is HashiCorp Vault?

HashiCorp Vault is a tool designed to manage secrets and protect sensitive data within modern IT infrastructures. It provides a secure and centralized way to store, access, and distribute secrets, such as API keys, passwords, certificates, and encryption keys.

The goal of HashiCorp Vault is to ensure that applications and systems have the necessary credentials and secrets while maintaining a high level of security and compliance.

What’s new: An easier way to set up the connection

TeamCity’s HashiCorp Vault plugin allows you to connect TeamCity to Vault, request new credentials when a build starts, pass them to the build script, and revoke them immediately when the build finishes. 

Previously, you had to use a complex syntax in order to set up the connection between TeamCity and HashiCorp Vault.

The old way of setting up the HashiCorp Vault connection

We’ve added a new parameter type – Remote – that is available right from the Parameter tab.

The new way of setting up the HashiCorp Vault connection

Once you select this parameter type, you can then choose the Remote Connection Type, which in our case is HashiCorp Vault Parameter. The query doesn’t require the % prefixes that it did previously. You can just type in the query and test the connection.

The query now functions without prefixes

Using the Kotlin DSL

You can either configure the connection via the UI or use the Kotlin DSL. For the Kotlin DSL configuration, you can click on the View as code button in the TeamCity UI and review the code.

You can either configure the connection via the UI or use the JetBrains Kotlin DSL. To get a better understanding of what the Kotlin DSL configuration looks like, you can click on the View as code button in the TeamCity UI and review the code. When using the Kotlin DSL, you’ll have to specify the name and the query:

params {
   hashiCorpVaultParameter {
       name = "env.AWS_SECRET_ACCESS_KEY"
       namespace = "accessKeysVault"
       query = "aws/data/access!/AWS_SECRET_ACCESS_KEY"
   hashiCorpVaultParameter {
       name = "env.AWS_ACCESS_KEY_ID"
       query = "aws/data/access!/AWS_ACCESS_KEY_ID"
   param("env.AWS_DEFAULT_REGION", "eu-west-1")

Please refer to our documentation to learn more about setting up the HashiCorp Vault plugin.

How is this update helpful?

Instead of using sophisticated syntax, you can take advantage of the new, more straightforward way for referencing secrets from HashiCorp Vault thanks to the new Remote parameters concept.

You can extend TeamCity’s remote parameters in any way you like. With the new remote parameters in TeamCity, we’re introducing an easier approach to setting up connections to external vaults and other applications. With this, we’ve built the foundation that will make it easier for us to develop new plugins and for you to develop your own.

image description