Drone runner not making secret extension requests to DRONE_SECRET_PLUGIN_ENDPOINT

Cordell · October 13, 2021, 12:04am

We have a runner launched via a drone autoscaler that has the following env vars defined the runner docker image, output of docker inspect:

"DRONE_SECRET_PLUGIN_ENDPOINT=http://secret.drone.dev.internal:8008/get-secret"
"DRONE_SECRET_PLUGIN_TOKEN=***********************************",

We have a job that looks like this

---
kind: secret
name: my_secret
get:
  path: some/path/here
  name: my_secret
---
kind: pipeline
name: build

environment:
  MYSECRET:
    from_secret: my_secret

However the job is producing an error: yaml: unmarshal errors: line 6: cannot unmarshal !!map into string which is happening at the line: from_secret: my_secret.

I have verified the runner is able to make HTTP requests to the secret extension service via curl from the runner manually.
I have verified the runner is not attempting to make any requests to my secret extension service when the above job runs and fails.

Is there something obvious I’m doing wrong? Thanks

bradrydzewski · October 13, 2021, 12:17am

The reason you are receiving a yaml parsing error is because pipeline-level environment variables do not support the from_secret syntax. You can only use from_secret syntax with step environment variables.

Cordell · October 13, 2021, 12:39am

Thanks! That was so very frustrating debugging… should we add this to the documentation somewhere? Or is it in the documentation somewhere?