Drone Vault Support for Secrets Engines

We’re deploying into a multi-account AWS environment and would like to leverage a centralized Vault instance in the same account as our Drone deployment. We went with Vault specifically to avoid things like long-lived access credentials in CI/CD but it appears that the current Drone Vault integration only supports basic KV access. Are there any plans to support retrieving credentials from secrets engines mounted at other paths? Specifically, we’re looking to support retrieving STS Assume Role tokens from the Vault AWS secrets engine.

Hi Dave,

There is a vault plugin at drone/drone-vault. We do not have any immediate plans to add support for more auth methods, however, we published the vault plugin so that others could fork and extend as needed.

We have also accepted pull requests for additional auth methods in the past (Reddit implement the Kubernetes auth method) and would consider a pull request for improved integration with AWS.

Thanks for the reply!

We are currently using that Vault plugin, and I looked into extending it but could not find a solid reference for the YAML specifications of the pipeline secret type. Would you happen to have like a source reference? I’ve found the secrets plugin interface in both drone-go and the Vault plugin implementation of that interface, but the actual YAML featured in that link you shared, is there documentation somewhere on the available fields? It looks like only the path and name fields from within the get key are actually passed onto the plugin which may make it kind of challenging.

The drone-yaml repository handles the parsing. Looks like the specific sections you need to update are here.