How to use secrets management with config repositories?

[AquilaNiger]

Hi community, 

we're currently moving some of our pipelines to a new server running a fresh and clean GoCD 19.12 and we would like to make use of all those cool features we were not using so far. One of these is using config repositories and secret management, but now I'm stuck with moving my first pipeline, because I'm not sure how to use secrets of the secret management within the yaml configuration file and I haven't found any examples yet. Would be nice if someone could point me to the right direction or give a short example.

What i did so far:

• export the pipeline in the old server as yaml
• check the yaml file in to the repository of the source code
• configure the config repository in the new server
• create a secrets db in the new server and add all required passwords
• edit the yaml file and replace the previously crypted passwords with an access to the secrets management:
  
  secure_variables:

        MY_PASSWORD: AES:...==
  becomes
  
  secure_variables:

        MY_PASSWORD: {{SECRET:[mysecrets][MY_PASSWORD]}}
  where mysecrets is the name of the configuration in the secret management and MY_PASSWORD is the name of the secret stored in the database configured.

This is not working currently, because the parsed config repository shows the error

build_and_test.gocd.yml; 1. Line 14, column 27: Expected scalar, sequence, or mapping but found: mapping end

which is the line defining MY_PASSWORD and I assume that the replacement of a secret is not working here.

Too make a long story short:

Can I use the access of secrets in the yaml file of a config repository or is this feature not supported?

If it is supported, what am I doing wrong?

Thanks in advance for all the help! 

[Ketan Padegaonkar]

Maybe try quoting the value. Braces and brackets have special meaning in YAML. AFAIK a `[` is interpreted as beginning of an array.

If this does not work, please open an issue on GitHub and someone will take a look into it.

--
You received this message because you are subscribed to the Google Groups "go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-cd+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/e1c43bdb-a240-4c67-b08a-554b3a70e5fa%40googlegroups.com.

[AquilaNiger]

Single quotes help to solve the syntax error. Nevertheless, the combination of secrets management and config repositories is still not working. Now I'm getting an error that the value for those variables is invalid and that this "usually happens when the cipher text is modified". I still don't know how this is supposed to work in combination.

[Aravind SV]

As far as I know, the secret will be substituted in GoCD and not in the plugin. Can you please open an issue with information to reproduce it?

Cheers,
Aravind