Dynamically add BUILDKITE_VAULT_SECRET

General
1

Hello Team,

I have requirement to add the vault secret name during run time from custom file. Expecting to get the secret value from those vault secrets.

  1. I already have pipeline.yml file and static vault working as expected.
agents:
      queue: docker
steps:
  - label: 'Get Delta files and deploy artifacts'
    env:
      BUILDKITE_VAULT_SECRET: "secrets_1,secrets_2"
    commands:
      - echo "$BUILDKITE_VAULT_SECRET_1"
      - echo "$BUILDKITE_VAULT_SECRET_2"
  1. Wanted to add some more secrets during run time. Can we have shell script to load those secrets.
#!/bin/bash
set -eu
printf "Executing the pipeline.sh"
# If you build HEAD the pipeline.sh step, because it runs first, won't yet
# have the updated commit SHA. So we have to figure it out ourselves.
if [[ "${BUILDKITE_COMMIT:-HEAD}" == "HEAD" ]]; then
  commit=$(git show HEAD -s --pretty='%h')
else
  commit="${BUILDKITE_COMMIT}"
fi

# We have to use cat because pipeline.yml $ interpolation doesn't work in YAML
# keys, only values

cat <<YAML
agents:
      queue: docker
steps:
  - label: 'Dynamic Vault Read'
    env:
      BUILDKITE_VAULT_SECRET: "secret_3,secret_4.....n"
    commands:
      - echo "Printing from Dynamic Vault Read"
YAML

I have tried with above pipeline yml and shell script. But shell script vault is not loading as expected.

2

Hi @sukurams, welcome to the community!

This is an interesting one. I’m not sure what your shell scripts are doing here, but what I would suggest is to send us an email at support@buildkite.com sharing some builds where you’re giving this a try and some more details on your vault implementation on those agents, and we’d be happy to give you a hand!

Cheers,
Jeremy