Secrets#
This page shows you how to store and access sensitive data such as API keys, passwords, certificates, SSH keys, etc. Semaphore uses "secrets" to accomplish this.
Overview#
Secrets are organization-level objects that contain environment variables and files. The contents of secrets can be accessed in jobs that are part of blocks or pipelines to which they have been connected.
Using secrets in jobs#
Web UI#
-
Open the project page
-
Click the Edit Workflow button
-
Select the block to which you want to connect the secret
-
Find the Secrets section in the right sidebar
-
Select the secret that you want to be connected
-
Click the Run the workflow button and then Start
YAML#
To connect a secret to a particular block add the secrets property, as shown below:
version: v1.0
name: My blue project
agent:
machine:
type: e1-standard-2
os_image: ubuntu1804
blocks:
- name: Test
task:
# Connect secret to all jobs in the block
secrets:
- name: blue-secret
jobs:
- name: Run tests
commands:
- checkout
- make test
To connect a secret to all jobs in a pipeline use global_job_config, as shown below:
version: v1.0
name: My blue project
agent:
machine:
type: e1-standard-2
os_image: ubuntu1804
global_job_config:
# Connect secret to all jobs in the pipeline
secrets:
- name: blue-secret
blocks:
...
Creating and managing secrets#
When creating secrets, we recommend that you make it available to the smallest subset of projects possible. To do this, you can use access policies to control which projects can use which of the organization's secrets. Organization-level secrets let you share secrets between multiple projects, which reduces the need for creating duplicate secrets. Updating an organization secret in one location also ensures that the change takes effect in all projects that use that secret. By default, all projects have access to secrets, but it is possible to restrict a secret to a specific subset of projects using the project whitelist when creating a new secret, or editing an existing one. To do this, choose Whitelisted and enter the project name(s).
Web UI#
-
Open the dashboard of your organization
-
Click Secrets in the sidebar -- you can find it in the Configuration section
-
Click the Create New Secret button
-
Enter your secret information:
- Specify Name
- Enter the environment variable's name and value
-
Enter the destination file path and upload the file
-
Click Save Changes
CLI#
The sem create secret command, shown below:
sem create secret blue-secret -e AWS_KEY=a1b2 -e AWS_SECRET=r2d2
Can be used to create a secret that also contains a file, as shown below:
sem create secret red-secrets -e AWS_KEY=a1b2 -f /Users/john/key.pem:/home/semaphore/key.pem
To view a secret use:
sem get secret blue-secret
To edit a secret use:
sem edit secret blue-secret
For more information about managing secrets check the sem CLI Reference.