GitLab external secrets: Vault database static/dynamic credentials


I’m using the database engine in Vault, and would like to access both static and dynamic credentials/secrets using gitlab external secrets.
Has anyone been able to do this and, if so, what values should I be using in the gitlab-ci yaml?

I’m worried because the documentation only shows usage with the kv-v2 engine, where it looks like GitLab produces a final path made from the engine path, a hardcoded “data” string, and the given secret path.
However I need the “data” path component replaced with either “creds” or “static-creds” depending on if I’m accessing a dynamic or static credential (the engine path is the same either way).
I’m assuming the “data” path component might be controllable via the engine:name but I can’t find any valid values searching the documentation (or gitlab issues, or forum posts).

Any ideas? Does gitlab even support vault engines other than kv-v2?

The fallback is, of course, the manual way (using the script to vault-login and vault-read every secret+field you need into variables/files as needed).


Hi @GKTheOne

AFAIK the only officially supported engine is kv-v2, there is some FR for kv-v1, but I haven’t seen FRs for other engines.

Thanks @balonik. That’s what I was thinking and afraid of :smiley:. Cheers.