What is a good Vault Secret access with GitlabCI?

Vault
1

Hi all!

I’m starting using Vault since 1 week and I have a lot of questions regarding accessing my secrets.

My Secrets structure is :

|SecretEngine
|–APP
|-----|DEV
|------------|SECRET1
|------------|SECRET2
|-----|PROD
|------------|SECRET1
|------------|SECRET2
I found two way to gets this secret:

With kv get --form yaml

vault kv get -mount=SECRETENGINE -format=yaml $APP/$ENV
But with this I have to create a .dotenv file as artifact and shared it between all my jobs.
For me, is quite awful and few people can access my artifact

  1. Using secrets and id_token

id_tokens:
VAULT_ID_TOKEN:
aud: https://vault.URL.com
variables:
VAULT_AUTH_ROLE: role-np-gitlab
secrets:
DEV:
vault: APP/DEV@SECRETENGINE
This one, isn’t working cause I can’t get APP/DEV which is a folder.
It works for

secrets:
PASSWORD:
vault: APP/DEV/PASSWORD@SECRETENGINE
But if I got a lot of secrets it’s not easy to manage.

  1. Using kv get but in all jobs

Same as 1. , I’m getting the yaml file of my ENV but I need to do it in all my jobs.

So, do you have any ideas of getting only one time my secrets and shared between my jobs?

Or do I have to do it everytime ?

All comments are welcome

2

This doesn’t really seem to be a Vault issue, more a Gitlab-CI issue but here goes:

For #2: indeed you can’t get a folder in one shot, so you’d have to do each secret individually. If you do want to get the folder in one shot as YAML, you’ll have to do it every time you need the secrets so you don’t generate artifacts that can be read by the wrong people.

It also depends a lot on how/what you are building, so the above is about as good as it gets, answer wise :slight_smile: