Summon Buildkite Plugin
summon is a tool for fetching secrets
from secure storage; this plugin makes it easy to use in
Buildkite jobs.
Some reasons you might care:
- Maybe you’re still hardcoding secrets in your Buildkite pipeline settings? If so, that is bad and you should stop. This plugin helps you stop.
- You can immediately leverage any of the existing
summonsecrets providers, so you have flexibility in what secure storage you use. - By installing different default providers on different machines, you can fetch secrets appropriately in different locations without changing configuration, e.g., pulling from a local keyring in development but from AWS SM in CI.
Examples
Here’s a simple pipeline configuration:
steps:
- plugins:
- angaza/summon#v0.1.0:
secrets-file: path/to/secrets.ymlThe secrets fetched by summon are exported as environment variables to the
rest of the step, including subsequent plugins. To use with the Docker Compose
plugin,
for example:
steps:
- plugins:
- angaza/summon#v0.1.0:
secrets-file: path/to/secrets.yml
- docker-compose#v2.6.0:
config: path/to/docker-compose.yml
run: service-nameMost summon options are supported:
steps:
- plugins:
- angaza/summon#v0.1.0:
secrets-file: path/to/secrets.yml
provider: summon-s3
environment: production
substitutions:
- REGION=us-east-1The plugin runs during the post-checkout
hook, the earliest
point at which the repo is available, since you will typically (but are not
required to) reference a checked-in secrets.yml file.
Prerequisites
summon must already be installed in the environment where your agent runs,
along with whatever provider(s) will be used.
Tests
You can run the tests for this plugin with:
docker-compose run --rm testsLicense
MIT (see LICENSE)
seek-oss 
