Secret Management for CircleCI

The Solution

Replace secret values with reference tags

Collect all secrets from your CircleCI environment and use the SecretHub CLI to safely store them in a centralized location.

Simply add secrethub:// reference tags to your job in either your .circleci/config.yml file or in CircleCI Contexts, to automatically load secrets at runtime:

Before

After

Enable JavaScript to see rich diff

diff --git a/.circleci/config.yml b/.circleci/config.yml

index ab738a4..07f36c3 100644

--- a/.circleci/config.yml

+++ b/.circleci/config.yml

@@ -1,21 +1,26 @@

 version: 2.1

+orbs:

+  secrethub: secrethub/cli@1.0.0

 

 jobs:

   publish:

     docker:

       - image: cimg/base:stable

+    environment:

+      DOCKER_USERNAME: secrethub://company/app/docker/username

+      DOCKER_PASSWORD: secrethub://company/app/docker/password

     steps:

       - checkout

       - setup_remote_docker

       - run:

           name: Build Docker image

           command: docker build -t company/app:${CIRCLE_SHA1:0:7} .

-      - run:

-          name: Publish Docker image

+      - secrethub/exec:

+          step-name: Publish Docker image

           command: |

             echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin

             docker push company/app:${CIRCLE_SHA1:0:7}

 workflows:

   deploy:

     jobs:

       - publish

View Docs View on GitHub

A single source of truth, codified and version controlled

No hidden pipeline dependencies: secrets explicitly declared in the same file as the job
No more manually syncing the CircleCI Environment Variables GUI
Easier pipeline development because secret definitions can be branched too

CircleCI log UI with AWS_SECRET_ACCESS_KEY value masked

Prevent accidents and leaks

Scope secrets to a single command or job, instead of the entire CircleCI config
All secret values are automatically masked from log output

Audit log of a CircleCI job loading a Docker password

Control & monitor when your CircleCI job reads secrets

Every time your CircleCI job starts, secret reads gets recorded on the audit log. Restrict access to only the secrets it needs and know that you can revoke access with a single command.

Why SecretHub?

All secrets are end-to-end encrypted, access controlled, and auditable
A single source of truth to keep all systems, apps, and services in sync
No operations and maintenance overhead in hosting a complex secret server

Keep CircleCI Secrets
Safe and In Sync

Good CI/CD Deserves Good Secret Management

Replace secret values with reference tags

Before

After

A single source of truth, codified and version controlled

Prevent accidents and leaks

Control & monitor when your CircleCI job reads secrets

Why SecretHub?

Unify secret management
across all software delivery phases

…in your terminal or IDE

MacOS

Linux

Windows

VS Code

…in your apps

Environment Variables

Config Files

Key Files

Docker

…on your cloud or datacenter

AWS

Google Cloud

Azure

On-prem / bare-metal

Keep CircleCI Secrets Safe and In Sync

Good CI/CD Deserves Good Secret Management

Replace secret values with reference tags

Before

After

A single source of truth, codified and version controlled

Prevent accidents and leaks

Control & monitor when your CircleCI job reads secrets

Why SecretHub?

Unify secret management across all software delivery phases

…in your terminal or IDE

MacOS

Linux

Windows

VS Code

…in your apps

Environment Variables

Config Files

Key Files

Docker

…on your cloud or datacenter

AWS

Google Cloud

Azure

On-prem / bare-metal

Keep CircleCI Secrets
Safe and In Sync

Unify secret management
across all software delivery phases