Using drone with external secrets wih AWS Secret Manager

Harness Experts
1

You can use external secret stores like AWS Secret Manager with Drone by using the Drone Secrets extension. The Drone Secrets extension allows you to store secrets in external secret stores and use them in your Drone pipelines.

Here are the general steps to follow:

  1. Install and configure the Drone Secrets extension:

First, install the Drone Secrets extension and configure it to use your external secret store. The Drone Secrets extension supports a variety of secret stores, including AWS Secret Manager.

The Drone Secrets extension is a separate component that needs to be installed and configured alongside the Drone server. Here are the general steps to install the Drone Secrets extension:

  1. Create a Kubernetes secret with your secret store credentials:

Create a Kubernetes secret that contains the credentials needed to access your secret store. For example, if you’re using AWS Secret Manager, you might create a secret like this:

apiVersion: v1
kind: Secret
metadata:
  name: drone-secrets-aws
type: Opaque
data:
  AWS_ACCESS_KEY_ID: <base64-encoded-access-key-id>
  AWS_SECRET_ACCESS_KEY: <base64-encoded-secret-access-key>

Replace <base64-encoded-access-key-id> and <base64-encoded-secret-access-key> with the base64-encoded values of your AWS access key ID and secret access key, respectively.

  1. Deploy the Drone Secrets extension:

Deploy the Drone Secrets extension to your Kubernetes cluster. You can find the latest release of the Drone Secrets extension on the GitHub releases page (https://github.com/drone/drone-secrets/releases).

Here’s an example of how to deploy the Drone Secrets extension:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: drone-secrets
spec:
  replicas: 1
  selector:
    matchLabels:
      app: drone-secrets
  template:
    metadata:
      labels:
        app: drone-secrets
    spec:
      containers:
        - name: drone-secrets
          image: drone/drone-secrets:latest
          env:
            - name: DRONE_SECRET_PLUGIN_AWS_REGION
              value: us-west-2
            - name: DRONE_SECRET_PLUGIN_AWS_SECRET_NAME
              value: my-secret-name
            - name: DRONE_SECRET_PLUGIN_AWS_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  name: drone-secrets-aws
                  key: AWS_ACCESS_KEY_ID
            - name: DRONE_SECRET_PLUGIN_AWS_SECRET_KEY
              valueFrom:
                secretKeyRef:
                  name: drone-secrets-aws
                  key: AWS_SECRET_ACCESS_KEY

This example deploys the Drone Secrets extension with the DRONE_SECRET_PLUGIN_AWS_REGION and DRONE_SECRET_PLUGIN_AWS_SECRET_NAME environment variables set to the region and secret name of your AWS Secret Manager secret. The extension also reads the AWS access key ID and secret access key from the drone-secrets-aws Kubernetes secret.

  1. Configure the Drone server to use the Drone Secrets extension:

Finally, configure the Drone server to use the Drone Secrets extension by setting the DRONE_SECRET_ENDPOINT environment variable:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: drone-server
spec:
  replicas: 1
  selector:
    matchLabels:
      app: drone-server
  template:
    metadata:
      labels:
        app: drone-server
    spec:
      containers:
        - name: drone-server
          image: drone/drone:latest
          env:
            - name: DRONE_SECRET_ENDPOINT
              value: http://drone-secrets:3000/secrets
            - name: DRONE_SERVER_HOST
              value: my-drone-server.example.com

This example sets the DRONE_SECRET_ENDPOINT environment variable to the URL of the Drone Secrets extension, which should match the name of your Drone Secrets extension Kubernetes deployment. The DRONE_SERVER_HOST environment variable is also set to the hostname of your Drone server.

Here’s an example of how to configure the Drone Secrets extension to use AWS Secret Manager:

apiVersion: v1
kind: Secret
metadata:
  name: drone-secrets
  annotations:
    drone.io/secrets: |
      [
        {
          "name": "my-aws-secret",
          "kind": "aws",
          "type": "secretsmanager",
          "data": {
            "secretId": "my-secret-id",
            "region": "us-west-2"
          }
        }
      ]
data: {}

In this example, a Kubernetes secret named drone-secrets is created with the drone.io/secrets annotation. The annotation specifies a list of secrets to be loaded by the Drone Secrets extension. The my-aws-secret secret is loaded from AWS Secret Manager with the specified secretId and region.

  1. Use the secrets in your Drone pipelines:

Once the Drone Secrets extension is installed and configured, you can use the secrets in your Drone pipelines by referencing them in your pipeline configuration:

kind: pipeline
name: my-pipeline
steps:
  - name: build
    image: docker:19.03
    commands:
      - echo $MY_SECRET
    environment:
      MY_SECRET:
        from_secret: my-aws-secret

In this example, the MY_SECRET environment variable is set to the value of the my-aws-secret secret loaded from AWS Secret Manager. The $MY_SECRET value can then be used in the build step of the pipeline.

That’s it! You can now use external secret stores like AWS Secret Manager in your Drone pipelines using the Drone Secrets extension