Supported engines for Vault secrets

GitLab CI/CD
, ,
1

Supported engines for Vault secrets

I’ve been trying to use the secrets:vault section in my ci-file to get AWS credentials. According to the docs I can actually set the engine. But what engines are currently supported?

The below snippet gave me the following error.
ERROR: Job failed (system failure): resolving secrets: requesting SecretEngine factory: factory for secret engine “aws” is not registered

job_with_secrets:
  id_tokens:
    VAULT_ID_TOKEN:
      aud: https://gitlab.com
  secrets:
    AWS_CREDENTIALS:
      vault:
        engine:
          name: aws
          path: aws
        path: sts/emiel
        field: emiel

So it appears the AWS engine is not supported. Does anybody know about a list of available engines? Or can provide some more clarity on this issue, that would be much appreciated.

Regards Emiel

2

Hi Emiel,

We also faced the same issue, we have however addressed one part of this by using the kv-v1 engine version. Even though in vault the actual secrets engine is AWS, this does work.

We have the following in our gitlab-ci in order to fetch a set of dynamic AWS credentials:


  secrets:
    ENV_VAR:
      vault: 
        engine:
          name: kv-v1
          path: aws
        path: creds/ROLE_NAME
        field: FIELD
      file: false

I however did not find any documentation on which engines are actually supported. And this does unfortunatly not allow you to use dynamic secrets, as it will read the secret 3 times, which end up in non matching access key/secret key and session token.