We’re deploying into a multi-account AWS environment and would like to leverage a centralized Vault instance in the same account as our Drone deployment. We went with Vault specifically to avoid things like long-lived access credentials in CI/CD but it appears that the current Drone Vault integration only supports basic KV access. Are there any plans to support retrieving credentials from secrets engines mounted at other paths? Specifically, we’re looking to support retrieving STS Assume Role tokens from the Vault AWS secrets engine.
There is a vault plugin at drone/drone-vault. We do not have any immediate plans to add support for more auth methods, however, we published the vault plugin so that others could fork and extend as needed.
We have also accepted pull requests for additional auth methods in the past (Reddit implement the Kubernetes auth method) and would consider a pull request for improved integration with AWS.
Thanks for the reply!
We are currently using that Vault plugin, and I looked into extending it but could not find a solid reference for the YAML specifications of the pipeline
secret type. Would you happen to have like a source reference? I’ve found the secrets plugin interface in both
drone-go and the Vault plugin implementation of that interface, but the actual YAML featured in that link you shared, is there documentation somewhere on the available fields? It looks like only the
name fields from within the
get key are actually passed onto the plugin which may make it kind of challenging.