Skip to main content

Secrets

Video Tutorial: How to use secrets

Secrets store sensitive data like API keys, passwords, and SSH keys. This page explains the types of secrets, their scopes, and how to create and secure them.

Overview

Secrets are encrypted on creation and decrypted at runtime when required for jobs. Once a secret is created, its content is no longer visible to users.

Secrets implement two types of values:

  • Variables: key-value pairs available as environment variables in jobs
  • Files: arbitrary files injected into the job environment at a specified path

Secrets can be created in three scopes:

How are secret collisions managed?

A collision happens when secrets with the same name are defined on multiple levels. Collisions are resolved by giving precedence to the narrowest scope. In other words:

  • Environment credentials always take precedence
  • Project secrets win over organization secrets
  • Organization secrets take the least precedence

How to create organization secrets

Organization secrets are available to all the projects in the organization. For more granular control, set up secret access policies or use environment credentials.

You can create secrets using either the UI or the command line.

To create an organization secret, go to the organization settings and:

  1. Select Secrets

  2. Press New Secret

    Organization secrets menu

  3. Enter the name of the secret

  4. Add an optional description

  5. To add a key-value pair, enter the secret name and value

  6. Add more variables as needed

  7. To add a file, specify the path and upload the file

  8. Add more files as needed

  9. Press Save secret or proceed to access policy

    Creating a new organization secret

To create secrets with the Semaphore API, see the API reference.

Access policy

Video Tutorial: How to configure secret access policy
Available On
PlansScaleup

Access policies allow you to control how and who can use organization secrets.

You can apply a policy at three levels:

  • Projects: the secret is available to all, none, or a list of specified projects
  • Debug Sessions: individuals connecting with a debug session can view the contents of the secrets. You can disable debug sessions for jobs using this secret
  • Attaching to jobs: similarly, attaching to a running job can expose secrets. Disabling this option prevents the secret from being viewed
Show me

Managing access policies for secrets

How to create project secrets

Available On
PlansStartup

Project secrets are only available to the project they are tied to.

To create a project secret, navigate to your project and select the Settings tab.

  1. Select Secrets

  2. Press Add

    Secrets settings for project

  3. Type the name of the secret

  4. Type a description

  5. To add a key-value pair, enter the secret name and value

  6. Add more values as needed

  7. To add a file, specify the path and upload the file

  8. Add more files as needed

  9. Press Save secret

    Creating a project secret

Note that if a secret is defined with the same name at both the organization and project levels, the project-level secret overrides the organization-level secret.

To create secrets with the Semaphore API, see the Semaphore API.

Deployment Targets credentials

Deployment target (environment) credentials are active only for specific pipelines attached to those environments.

For more information, see promotions and environments.

Private repositories and dependencies

Sometimes, you need to access dependencies from private Git repositories. Dependency managers like Bundler, Yarn, and Go modules can access private repositories if you provide an authenticated SSH key in your CI job.

Configuring an SSH key pair

Dependency managers might need to authenticate with SSH to access private repositories.

Follow these steps to set up authentication:

  1. Create an SSH key pair. For example:

    ssh-keygen -t rsa -f id_rsa_semaphoreci
  2. Add the SSH public key to GitHub or BitBucket. See deploy keys for more information

  3. Add the SSH private key as a secret in Semaphore

    For example, upload the private key as a secret to the path .ssh/id_rsa_semaphoreci

  4. Import the secret in your job and use the dependency manager as usual. For example:

    checkout
    chmod 0600 ~/.ssh/id_rsa_semaphoreci
    ssh-add ~/.ssh/id_rsa_semaphoreci
    bundle install

See also