Travis CI logo

Secret handling in Travis CI

In Travis CI, secrets are usually registered as environment variables and used during the execution of the pipeline. This simple approach has advantages, but also brings challenges of its own.

For starters, to run tests locally with this setup, secrets need to be manually synchronized between different developers and environments.

Moreover, according to the Travis CI best practices for security, developers must look out for scripts accidentally logging sensitive data and are encouraged to regularly rotate secrets.

Secret management with SecretHub

SecretHub simplifies secret management by storing secrets securely in a central database and providing them automatically to all authenticated parties.

When using SecretHub, the secret to environment variable mapping will be moved to a secrethub.env file which can also be used for running the code in production or locally, from your IDE or the command line.

What’s more, SecretHub supports versioning, which simplifies the process of regularly rotating secrets.

Before you begin

To follow along, you will need to:

Step 1: Write your secrets

First, write your secrets to SecretHub to have them provided to the CI pipeline or any development environment.

SecretHub organizes secrets in repositories. To create a repository for your secrets use the repo init command:

secrethub repo init your-username/repo-name

Now you can write the secrets that you want to have access to later with the write command:

secrethub write your-username/repo-name/password

Step 2: Add the secrethub.env file

To provide a mapping between environment variables and secrets, create a file named secrethub.env in your project’s root directory, similar to this one:

DB_HOST = localhost
DB_USER = test-user
DB_PASS = {{ your-username/repo-name/password }}

The path {{ your-username/repo-name/password }} references the secret defined in the previous step.

Step 3: Set up your Travis CI configuration

To configure your Travis CI pipeline add a file named .travis.yml to your repository, similar to this one:

language: node_js
node_js:
  - 7

before_install:
  - echo "deb [trusted=yes] https://apt.secrethub.io stable main" | sudo tee /etc/apt/sources.list.d/secrethub.sources.list
  - sudo apt-get update && sudo apt-get install -y secrethub-cli

script:
  - secrethub run -- node test.js

Note that in this example we will be using a Node.js app, however the same steps apply for other test commands as well.

The commands in the before_install section install the SecretHub CLI onto the pipeline’s build environment.

Alternatively the installation can be included in a docker image. With this approach the SecretHub CLI will not be installed every time the pipeline is executed.

On the last line of the file, the command you usually run test with (in this case npm test) is wrapped with the secrethub run command. This command fetches the secrets required by the application and injects them as environment variables according to the mapping specified in the secrethub.env file.

Step 4: Create a SecretHub service account

SecretHub uses service accounts to grant non-human parties (such as CIs) access to secrets. To create a service account, run the secrethub service init command:

secrethub service init --permission read your-username/repo-name

This command will output the generated account credential. Make sure to copy it as it will be needed in the next step.

The --permission read flag will grant the service read access to the specified repo.

Note that you can use the --clip flag to write the output of the command to your clipboard:

secrethub service init --clip --permission read your-username/repo-name

Step 5: Provide the credential to Travis CI

  1. Log in to the Travis CI web interface and navigate to your repository
  2. Choose “Settings” from the “More options” menu
    Choose settings from the More Options menu
  3. Scroll to the “Environment Variables” section
  4. Set the variable name to SECRETHUB_CREDENTIAL and the value to the key generated in the previous step. Make sure that DISPLAY VALUE IN BUILD LOG is unchecked and click Add.
    Choose settings from the More Options menu

You have successfully configured your Travis CI pipeline to automatically fetch secrets from the SecretHub API, while also simplifying secret provisioning in development and production environments. Moreover, you can now rotate your secrets and the pipeline will automatically use their latest version.

See also

Happy coding!