Best way to vary secrets (from vault) by environment

jon.craig · May 17, 2021, 6:48pm

I have the integration between gitlab-ci and vault functioning but I have found that you cannot use variables in the secret definition. I can do:

secrets:
  my_secret:
    vault: my-org/my-subgroup/my-project/prd/database/password@secret

to read:

  secret/data/my-org/my-subgroup/my-project/prd/database:
      password: something_really_secure

But would like to do something like:

secrets:
  my_secret:
    vault: $CI_PROJECT_PATH/$CI_ENVIRONMENT_NAME/database/password@secret

This would allow me to put all my secrets into a hidden job and then easily extend other jobs to include them. As it is I cannot see any way to use this integration short of hand coding each secret in each environment.

balonik · May 18, 2021, 9:43am

Hi @jon.craig
currently you have to specify it per job. There is opened issue for using variables inside secret paths

Topic		Replies	Views
Use CI variables in other Files GitLab CI/CD ci	2	4124	July 20, 2022
Are there any smarter ways to read secret from vault without having large secrets block in pipeline stage? GitLab CI/CD	0	261	November 6, 2023
Variables in GitLab CI How to Use GitLab ci	4	1130	December 13, 2019
How to handle multiple stages (secret environment variables) GitLab CI/CD	1	615	October 1, 2019
Make job deploy to any environment and handle variables accordingly GitLab CI/CD env-vars	0	145	April 13, 2024

Best way to vary secrets (from vault) by environment

Related topics