Secrets with S3
See the S3 Getting Started Guide for more information on encryption in S3. This example uses a bucket (
mybucket
) in theus-west-2
region to store GitHub credentials and a kubeconfig file. You reference the bucket by its URLmybucket.us-west-2.amazonaws.com
.
Authorize Spinnaker to access the S3 bucket
Since you’re storing sensitive information, make sure to protect the bucket by restricting access and enabling encryption.
Remember to run the Operator (or Halyard’s daemon) and SpinnakerTM services with IAM roles that allow them to read the keys stored in the AWS S3 Bucket.
Storing secrets
Storing credentials
Store your GitHub credentials in mybucket/spinnaker-secrets.yml
:
github:
password: <PASSWORD>
token: <TOKEN>
Note: You could choose to store the password under different keys than github.password
and github.token
. You’d just need to change how to reference the secret further down.
Storing sensitive files
Some Spinnaker configuration uses information stored as files. For example, upload the kubeconfig
file of your Kubernetes account directly to mybucket/mykubeconfig
:
aws s3 cp /path/to/mykubeconfig s3://mybucket/mykubeconfig
Referencing secrets
Now that secrets are safely stored in the bucket, you reference them from your config files with the following format. The S3 specific parameters (r:<region>
, b:<bucket>
, etc) can be in any order:
encrypted:s3!r:<region>!b:<bucket>!f:<path to file>!k:<optional yaml key>
For example, to reference github.password
from the file above, we’ll use:
encrypted:s3!r:us-west-2!b:mybucket!f:spinnaker-secrets.yml!k:github.password
And to reference the content of our kubeconfig file:
encryptedFile:s3!r:us-west-2!b:mybucket!f:mykubeconfig
Feedback
Was this page helpful?
Thank you for letting us know!
Sorry to hear that. Please tell us how we can improve.
Last modified January 25, 2021: (1b76da5)