This page shows you how to store and access sensitive data such as API keys, passwords, certificates, SSH keys, etc. Semaphore uses "secrets" to accomplish this.
Secrets are organization-level objects that contain environment variables and files. The contents of secrets can be accessed in jobs that are part of blocks or pipelines to which they have been connected.
Using secrets in jobs#
Open the project page
Click the Edit Workflow button
Select the block to which you want to connect the secret
Find the Secrets section in the right sidebar
Select the secret that you want to be connected
Click the Run the workflow button and then Start
To connect a secret to a particular block add the secrets property, as shown below:
version: v1.0 name: My blue project agent: machine: type: e1-standard-2 os_image: ubuntu1804 blocks: - name: Test task: # Connect secret to all jobs in the block secrets: - name: blue-secret jobs: - name: Run tests commands: - checkout - make test
To connect a secret to all jobs in a pipeline use global_job_config, as shown below:
version: v1.0 name: My blue project agent: machine: type: e1-standard-2 os_image: ubuntu1804 global_job_config: # Connect secret to all jobs in the pipeline secrets: - name: blue-secret blocks: ...
Creating and managing secrets#
When creating secrets, we recommend that you make it available to the smallest subset of projects possible. To do this, you can use access policies to control which projects can use which of the organization's secrets. Organization-level secrets let you share secrets between multiple projects, which reduces the need for creating duplicate secrets. Updating an organization secret in one location also ensures that the change takes effect in all projects that use that secret. By default, all projects have access to secrets, but it is possible to restrict a secret to a specific subset of projects using the project whitelist when creating a new secret, or editing an existing one. To do this, choose Whitelisted and enter the project name(s).
Open the dashboard of your organization
Click Secrets in the sidebar -- you can find it in the Configuration section
Click the Create New Secret button
Enter your secret information:
- Specify Name
- Enter the environment variable's name and value
Enter the destination file path and upload the file
Click Save Changes
The sem create secret command, shown below:
sem create secret blue-secret -e AWS_KEY=a1b2 -e AWS_SECRET=r2d2
Can be used to create a secret that also contains a file, as shown below:
sem create secret red-secrets -e AWS_KEY=a1b2 -f /Users/john/key.pem:/home/semaphore/key.pem
To view a secret use:
sem get secret blue-secret
To edit a secret use:
sem edit secret blue-secret
For more information about managing secrets check the sem CLI Reference.