Get Secrets from multiple hashicorp vaults in one job

karan.kumar · July 3, 2023, 11:33am

I want to know if it is possible, then how can I fetch secrets from 2 different hashicorp vault in one CI/CD job.

I have two vault servers, so there will be two VAULT_SERVER_URL with different Role and Token.

For example:

read_secret_via_token-id:
  stage: get_secret
  image: vault:1.13.3
  variables:
    VAULT_SERVER_URL: <vault-server-url->
    VAULT_AUTH_ROLE: <role>
  id_tokens:
    VAULT_ID_TOKEN:
      aud: <gitlab-url>
  secrets:
    POSTGRES_USERNAME:
      vault: database/postgres/postgres_username@kv2
      token: $VAULT_ID_TOKEN
      file: false
    POSTGRES_PASSWORD:
      vault: database/postgres/postgres_password@kv2
      token: $VAULT_ID_TOKEN
      file: false
  script:
    - echo "Fetched secret"
    - echo POSTGRES_USERNAME | base64
    - echo POSTGRES_PASSWORD | base64

Thank you in advance

sam_hu · October 10, 2023, 8:23pm

Hi i also have the same issue, did you figure this out eventually?

karan.kumar · October 11, 2023, 9:05am

Yes, I kept the job environment specific and added the vault url as the environment variable separate for each environment. and the same role for all envs (also in GitLab variables) but you can also keep separate roles for each environment…

Topic		Replies	Views
Best way to vary secrets (from vault) by environment GitLab CI/CD	1	735	May 18, 2021
Vault Token Infrastructure as Code & Cloud Native ci , pipelines	2	1660	May 24, 2022
The secrets provider can not be found GitLab CI/CD ci	2	7747	March 2, 2021
How to handle multiple stages (secret environment variables) GitLab CI/CD	1	692	October 1, 2019
Vault Gitlab JWT vault self signer cert GitLab CI/CD	2	1846	March 8, 2021

Get Secrets from multiple hashicorp vaults in one job

Related topics