Use this guide to troubleshoot issues with secrets.
Environment Escaping
The most common root cause for this problem is when you use ${VARIALBE} syntax in your yaml file. Remember that Drone emulates bash substitution and attempts to substitute values in ${VARIALBE} format before the yaml configuration file is parsed. To prevent a variable from being substituted, you should escape the variable, as show below:
kind: pipeline
name: default
steps:
- name: test
image: alpine
environment:
PASSWORD:
from_secret: password
commands:
- - echo ${PASSWORD}
+ - echo $${PASSWORD}
Another common problem we see is use of the settings block for pipeline steps with commands. The settings block should only be used for plugins, and is ignored for steps with commands. For steps with commands, use the environment block to pass secrets to the pipeline step as environment variables.
kind: pipeline
name: default
steps:
- name: test
image: alpine
- settings:
+ environment:
PASSWORD:
from_secret: password
commands:
- echo $PASSWORD
Pull Requests
Another common problem we see is that secrets are disabled for pull requests by default, for security reasons. You can allow pull requests access to secrets when you create the secret.
Command Line Execution
If you are executing builds using the drone exec command please be advised that this command has not communication with the server, and therefore does not fetch secrets from the server for your local build. If you need secrets to run your build locally you need to provide them.
$ cat <<EOF > secrets.txt
username=octocat
password=correct-horse-battery-staple
EOF
$ cat .drone.yml
kind: pipeline
name: default
steps:
- name: test
image: alpine
environment:
USERNAME:
from_secret: username
PASSWORD:
from_secret: password
commands:
- env
$ drone exec --secret-file=secrets.txt
Incorrect or Masked Secrets
Drone masks the values of secrets in your output. The secret value may be masked with asterisks (for example *****) or with the name of the secret (for example [secret:<name>]). In either case, this is completely normal and is not indicative of an issue with Drone.
Still Experiencing Issues?
If you have tried all of the above and are sill experiencing issues, please create a discourse thread that includes all of the requested information:
- Version of Drone. If using
drone execplease make this clear. - Full result of
drone repo info <repository>(Do not redact the repository name) - Full result of
drone build info <repository> <build> - Full result of
drone secret info <repository> <secret>for each secret - Full yaml configuration file
- Full logs for the failed pipeline step, copied from the user interface
- Runner configuration.