Question: How to import secrets into steps safely

[luke-riu]

In my config I have a token called service_key
I have a step something like this:

- name: firebase_secret
      envs:
        SERVICE_KEY: service_key
      bash: |
        sh ${FLOWCI_GIT_REPO}/secret_script.sh ${SERVICE_KEY}

but the input parameter in the script just receives "service_key" as a value, rather than the actual value stored in the secrets. How do I get the actual secret into the script? Thanks

[gy2006]

the current version doesn't support gain a secret key from envs, this feature is under development, it will be included in next release.

you could use flow.ci api to get actual secret value as workaround, ex:

your_secret = $(curl -X GET "${FLOWCI_SERVER_URL}/api/secret/test-token-2" -H "AGENT-TOKEN: ${FLOWCI_AGENT_TOKEN}" -s | python3 -c "import sys, json; print(json.load(sys.stdin)['data']['token']['data'])")

echo $your_secret

if python not available in your agent environment

your_secret = $(curl -X GET "${FLOWCI_SERVER_URL}/api/secret/test-token-2" -H "AGENT-TOKEN: ${FLOWCI_AGENT_TOKEN}" -s | grep -Eo '"data"[^,]*}' | sed 's/"data":"//; s/"}}}//')

echo $your_secret

[luke-riu]

Ah that's excellent news. Thanks 😊

[luke-riu]

Hi. I was wondering if this was resolved in the latest release. Thanks.

[gy2006]

yes, here is an example, you could ref the secret from YAML block secrets, and use it as an environment variable

  - name: test
    docker:
      image: flowci/debian-git
    secrets:
      - 'test_token'
    bash: |
      echo ${test_token}

[luke-riu]

Perfect. Thank you :)