Replace secret environment variables with reference tags
Gather all secrets from your CircleCI environment variables and use the SecretHub CLI to safely store them in a centralized location.
Simply add secrethub:// reference tags to your job in either your .circleci/config.yml file or in CircleCI Contexts to automatically load secrets at runtime:
A single source of truth for your secrets
With your secrets centralized you know that when a value is updated, CircleCI and all other tools will have it on the next run.
- No more manually syncing the CircleCI Environment Variables GUI
- No hidden pipeline dependencies: secrets are explicitly declared in the same file as the job that needs it
- No more evaluations of each tool's own secret store
Develop and maintain pipelines without breaking them
Secrets shouldn't get in the way when you're developing pipelines. Leverage the powerful reference syntax for cleaner, more predictable, and reproducible CircleCI pipelines:
Pin secret versions
secrethub://company/app/docker/password:latestsecrethub://company/app/docker/password:2
Switch secrets between environments
secrethub://company/app/prod/aws/secret_access_keysecrethub://company/app/staging/aws/secret_access_key
Run jobs locally too
The missing piece to achieving dev/prod parity when running CircleCI jobs locally as loading secrets now works in the same way no matter where you're running.
Prevent accidents and leaks
Mistakes are easily made. Keep your peace of mind and ensure your CircleCI logs won't give away the keys to the kingdom.
- All secret values are automatically masked from log output
- Secrets are end-to-end encrypted and plaintext values only exist in memory during the lifetime of a job
- Scope secrets to a single command or job, instead of the entire CircleCI config
Control & monitor when CircleCI reads secrets
Every time your CircleCI job starts, secret reads gets recorded on the audit log. Restrict access to only the secrets it needs and know that you can revoke access with a single command.
Managing secrets for most CI tools is a pain in the ass. The only way to define secrets is to manually define them as env vars in the GUI, which takes a lot of time. This is fine for 1 project, but we have over 180 projects so that's not an option. SecretHub is a big time saver in that regard. It's really easy to use and I got a pipeline with secrets up and running within half an hour!
Every day I have clients that have cleartext passwords or need to manage various password vaults. The common denominator is that code becomes a security risk, and it becomes extremely cumbersome to deploy applications and share secrets. With SecretHub, I can now develop, test and deploy without a single secret anywhere near my code or tools. This is what the industry has needed for a long long time!
We've tried pretty much every solution out there for secrets management and SecretHub is The Thing filling the void in our pipeline. The experience was super nice: we had zero friction integrating SecretHub with our infrastructure.
By injecting passwords and tokens with the template tags, we’re now able to keep our application config files the same throughout the entire DTAP street. This is a real time saver, especially when you do a dedicated DTAP pipeline per customer.
Be up and running in no time
Follow the step-by-step guide and you'll be loading secrets into CircleCI today.
