Add a secret to jobs

You can add secrets such as tokens, certificates, and username/password pairs to Continuous Delivery (CD) jobs. Jobs can access secrets in the environment when they run. Secrets are stored encrypted in the CD database and can only be added to jobs that have already been created. Secrets are limited to the job where you create them. If a secret is applicable to multiple jobs, you must add that secret to each relevant job.

Before you begin:
You must create a job before you can add a secret. Jobs with secrets require puppetlabs-cd4pe_jobs module version 1.6.0 or higher. You install this module when you Configure job hardware.

When you run jobs that use secrets, you can see where jobs use secrets in the jobs' logs. Sensitive values are redacted.

  1. In the Continuous Delivery (CD) web UI, click Jobs.
  2. Locate the job you want to add a secret to and click Edit.
  3. Click Add secret.
  4. Enter a Name and (optional) Description for the secret.

    Secret names must be unique within each workspace and can only contain letters, numbers, and underscores. If you use a dash or space in a secret name, it is automatically converted to an underscore.

    Once you save a secret, you can't change its name. If you need to change a secret's name, you must delete and recreate it.

  5. Select the Secret Type, complete the remaining fields according to the secret type, and click Save.

    Once you save the secret, you can't see the information you put in these sensitive fields when you edit the secret.

  6. Continuous Delivery (CD) stores secrets at environment variables. After saving a secret, Continuous Delivery (CD) shows you the environment variable you can use to reference the secret in the code in the Job commands section.

    Example of partial job command code without a secret variable:

    Copy
    curl -H "Authorization: Bearer <TOKEN>" -k -s

    Example of partial job command code with a secret variable:

    Copy
    curl -H "Authorization: Bearer $CD4PE_SECRET_<SECRET_NAME>" -k -s

    Secrets with multiple values, such as username and password combinations, generate multiple environment variables. Make sure you use the correct environment variables at the correct locations in your code. You can click the secret's name on the Edit job page to see the secret's environment variable(s) at any time.

  7. Click Save changes when you are done adding secrets to the job and customizing the Job commands code.