GCP Secret Manager Buildkite Plugin

A Buildkite plugin to read secrets from GCP Secret Manager.

This plugin requires either a Google Cloud credentials file or application default credentials to be available on your Buildkite Agent machines. Additionally, you must specify the GCP project ID that the secrets will be pulled from.

Other preinstalled requirements:

• gcloud
• jq

Example

Add the following to your pipeline.yml:

steps:
  - command: 'echo \$SECRET_VAR'
    plugins:
      - robert-fahey/gcp-secret-manager#1.2.0:
          project_id: "your-gcp-project-id" # NEW
          credentials_file: /etc/gcloud-credentials.json
          env:
            SECRET_VAR: my-secret-name:5 # NEW - the version number is optional
            OTHER_SECRET_VAR: my-other-secret-name`

Configuration

project_id (required, string)

The Google Cloud Project ID from which the secrets will be pulled.

credentials_file (optional, string)

The file path of a Google Cloud credentials file which is used to access the secrets. If not specified, the application default credential will be searched for and used if available. The account credential must have the Secret Accessor role for the secret being accessed (roles/secretmanager.secretAccessor).

env (object)

An object defining the export variables names and the secret names which will populate the values.

Developing

To run the tests:

docker-compose run --rm shellcheck
docker-compose run --rm tests

Contributing

1. Fork the repo
2. Make the changes
3. Run the tests
4. Commit and push your changes
5. Send a pull request

---

The main change here is the introduction of project_id as a required field in the example and the Configuration section. Adjust the example project name 'your-gcp-project-id' as needed based on your specific requirements.