How to manage secrets in Travis CI
This guide shows you how you can use SecretHub for your pipeline secrets. You’ll be able to define the required secrets in the .travis.yml
.
Before you begin
Before you start, make sure you have completed the following steps:
- Set up SecretHub on your workstation.
Step 1: Write your secrets
If you haven’t done so already, store your secrets on SecretHub. You can use the following commands to get everything set up:
-
secrethub repo init
to create a repository -
secrethub mkdir
to create a directory -
secrethub write
to write some secrets
In the examples we’ll be using two AWS secrets: company/app/aws/access_key_id
and company/app/aws/secret_access_key
, but the same principle applies to all secrets.
Step 2: Set up your Travis CI configuration
To configure your Travis CI pipeline add a file named .travis.yml
to your repository, similar to this one:
language: node_js
node_js:
- 7
before_install:
- echo "deb [trusted=yes] https://apt.secrethub.io stable main" | sudo tee /etc/apt/sources.list.d/secrethub.sources.list
- sudo apt-get update && sudo apt-get install -y secrethub-cli
env:
- AWS_REGION="us-east-1"
- AWS_ACCESS_KEY_ID="secrethub://company/app/aws/access_key_id"
- AWS_SECRET_ACCESS_KEY="secrethub://company/app/aws/secret_access_key"
script:
- secrethub run -- ./deploy.sh
There are three things to note here: Fist of all, AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
are set to reference the path at which they’re on SecretHub.
Futhermore, in the before_install
the SecretHub CLI is installed. The CLI will be used later to provision the secrets. Alternatively, you can include the installation in the docker image on which the job runs, to save one step every time your job is executed.
The last thing to note is that the command that requires the secrets, ./deploy.sh
in this case, is wrapped in secrethub run --
. run
replaces the secret references in the environment of the subcommand with the secret values.
For jobs that you’d like to be able to run locally as well (e.g. your tests), consider using environment files. They’re also a good fit if you have secrets for multiple environments, as they support templating.
Step 4: Create a SecretHub service account
SecretHub uses service accounts to grant non-human parties (such as CIs) access to secrets.
To create a service account, run the secrethub service init
command:
secrethub service init --permission read company/app
This command will output the generated account credential. Make sure to copy it as it will be needed in the next step.
The --permission read
flag will grant the service read access to the specified repo.
Note that you can use the --clip
flag to write the output of the command to your clipboard:
secrethub service init --clip --permission read company/app
Step 5: Provide the credential to Travis CI
- Log in to the Travis CI web interface and navigate to your repository
- Choose “Settings” from the “More options” menu
</figure>
- Scroll to the “Environment Variables” section
- Set the variable name to
SECRETHUB_CREDENTIAL
and the value to the key generated in the previous step. Make sure thatDISPLAY VALUE IN BUILD LOG
is unchecked and click Add.
</figure>
You have successfully configured your Travis CI pipeline to fetch secrets from SecretHub. Moreover, you can now rotate your secrets and the pipeline will automatically use their latest version.
See also
- For more information about the run command, check out the documentation.
- For more details about SecretHub services check out the documentation.
Happy coding!