Create and use secrets
Available in versions: 23.4
Use secrets to store credentials, passwords, access tokens, or other privileged information in an encrypted format. Include secrets in chains to securely pass sensitive data required for completing specific chain steps.
Guidelines for using secrets
When you run PulseUno chains, secrets provide a secure way of including private data, such as passwords and access tokens for third-party tools.
Example: To run a build job that requires restarting an external server, create secrets to store the server username and password, and then use the secrets in your build job. This keeps the credentials from being exposed.
You can create and store secrets in PulseUno or add a provider from which to retrieve secrets for your build jobs. PulseUno integrates with the HashiCorp Vault secrets manager.
Guidelines for creating and using secrets:
You can add secrets at the global, space, or product level. Global secrets are shared across all spaces and products in your PulseUno instance. Space and product secrets are scoped to a specific space or product.
Space secrets override global secrets that have the same names, and product secrets override both global and space secrets that have the same names.
To use HashiCorp Vault as the secrets provider, connect your HashiCorp Vault instance to a PulseUno space. PulseUno can read HashiCorp Vault secrets only if they are stored in the Key/Value (K/V) secrets engine, version 1 or 2.
For details on how to set up the K/V secrets engine and write secrets to it, see the HashiCorp Vault documentation.
To add secrets providers, you need administrator or space owner permissions.
To add secrets, you need the following permissions:
Level Role permissions Global secrets Administrator Space secrets Space owner, administrator Product or Git repository secrets Product owner, administrator
For details about assigning roles, see Manage members and teams.
PulseUno chains consume secrets through chain variables, where a secret is set as a variable value. For details, see Reference secrets in chains.
Secrets are displayed obscured in logs. If a secret is set as a private variable, the secret's name is also displayed obscured.
Secrets are stored in the database as AES 256 encrypted values.
Caution: PulseUno uses a master.key file to encrypt all private data in the database. If the master.key file is lost, the private data can no longer be decrypted. You need to generate a new master.key and re-enter all secrets and credentials for secrets providers. For details, see Secure your PulseUno installation.
Create and modify secrets
Create global secrets and use them across multiple spaces and products. To limit the scope, add secrets to a specific space, product, or Git repository.
To create or modify a secret:
Select where you want to add a secret:
Add a global secret Go to Administration > Secrets. Add a secret to a space On the top navigation bar, select a space from the spaces list. Then select Settings > Secrets on the sidebar. Add a secret to a product After selecting a space, open the relevant product or Git repository from the product list. Then select Settings > Secrets on the sidebar.
On the toolbar, click New Secret .
In the Create New Secret dialog box, provide the name and value of your secret:
Field Description Name
Enter a name for the secret. You can use Latin characters, numbers, and underscores. Names are not case-sensitive.
Secrets defined at the same level must have unique names. But you can create secrets with the same names at different levels, for example, at the product and space levels.
If secrets have the same names, lower-level secrets take precedence over those defined at a higher level. For example, product secrets override space and global secrets.
Value Enter the secret's value.
To change a secret's value, select the secret in the list, and click Edit Secrets on the toolbar. For security purposes, PulseUno doesn't display the old value of the secret.
To remove a secret, select the secret in the list, click Delete on the toolbar, and confirm.
Add a HashiCorp Vault secrets provider
To access secrets stored in HashiCorp Vault, add a HashiCorp Vault secrets provider to a space. You can then use HashiCorp Vault secrets in chains across all products within the space.
To create a secrets provider:
On the top navigation bar, select a space from the spaces list.
On the sidebar, select Settings > Secret Providers.
On the toolbar, click New Secret Provider .
In the Create New Secret Provider dialog box, enter the details of your HashiCorp Vault instance:
Field Description Name Enter a name for the secret provider. Vault URL
Enter the URL and port of your HashiCorp Vault server, for example:
Enter the role ID for logging in to the HashiCorp Vault server.
PulseUno uses the AppRole auth method to fetch the access token for HashiCorp Vault. To authenticate with HashiCorp Vault, the AppRole auth method requires the role ID and secret ID for the role assigned to PulseUno.
For details on how to create a role and fetch the role ID and secret ID, see the HashiCorp Vault documentation.
Secret ID Enter the secret ID for logging in to HashiCorp Vault. Role Path
(Optional) Enter the path at which the AppRole is mounted.
Leave empty to use the default mount path: approle
Namespace HashiCorp Vault Enterprise only: (Optional) If you use namespaces, enter the mount path to the dedicated namespace from which to fetch secrets.
To include a secret in a chain, add a chain variable and specify the secret as the variable value. For details about adding variables to chains, see Define chain and global variables.
When referencing secrets in variables, use the following syntax:
|Secrets defined in PulseUno||
where <secretName> is the name of the secret created in PulseUno.
|HashiCorp Vault secrets||
Suppose you have added a HashiCorp Vault secrets provider called credVault.
Your secret is located at the secret/data/library path in HashiCorp Vault and contains the following JSON data:
"libraryName": "Wonderland Library",
"location": "123 Library Street, Booktown",
"title": "The Adventures of Alice",
"name": "Lewis Carroll",
"name": "Emily Librarian",
"position": "Head Librarian",
"name": "Sam Assistant",
"position": "Library Assistant",
Suppose that the secret value you need to fetch from the JSON data is Head Librarian on line 23.
In this case, use the following syntax to reference the secret value in a variable:
where staff/0/position is the JSON pointer:
|staff||Points to the property containing the array with the secret value.|
|0||Indicates that the secret value is located in the first object inside the array.|
|position||Specifies the key whose secret value you want to fetch.|