How to use managed secret for Github password

[Helge Walter]

Hello,

I'm currently trying to figure out how to use the secrets management in GoCD.

I want to use a secret for the password of a git repository material. I read the documentation about it and did the following:

• Created a local secret db file on the server and put a secret named "GITHUB_API_TOKEN" into it.
• Configured a secret config named "gocd-ops" and allowed it for use in my pipeline group.
• Then I composed the placeholder as described in the docs: {{SECRET:gocd-opsGITHUB_API_TOKEN}} and pasted it into the password field of the material.

When I try to verify the connection it failes with HTTP/403 status code.

So what did I do wrong?

Looking at the config XML it is stored as "encryptedPassword" and exporting it as JOSN it is also stored as "encrypted_password". So I don't know if GoCD did recognize it as a reference to the secret or just uses the placeholder as password.

Regards,

Helge

[Helge Walter]

I did create the placeholder the wrong way. It seems that the following one is better:

{{SECRET:[gocd-ops][GITHUB_API_TOKEN]}}

But now ... If I try to verify the connection I get the following error:

SecretParam 'GITHUB_API_TOKEN' is used before it is resolved.

I verified the plugin configuration and the secret DB file but this seems to be correct.

What's wrong now?

Regards,

Helge

[kritik...@thoughtworks.com]

Hello Helge,

All the steps you have taken are correct. This seems like a bug in GoCD. I would suggest opening an issue here. 

Before that can you verify that the secret config can be accessed by the pipeline group/environment you are currently trying this out with. For this you would need to check the 'rules' section for the secret config.

Thanks

Kritika

[Aravind SV]

All the steps you have taken are correct. This seems like a bug in GoCD. I

would suggest opening an issue here https://github.com/gocd/gocd/issues.

I wonder if it’s because a pipeline is not created (yet) at the time of “Test connection” – assuming this is at the time of creation of the pipeline. If that’s the case, maybe trying it after the pipeline is created might be a way forward.

Cheers,
Aravind

[Helge Walter]

Hello Aravind,

the pipeline was created before I tried to verify the connection. I created it using the actual password and changed it to the placeholder afterwards.

A question regarding Pipelines as code: When exporting the pipeline, e.g. as JSON, the password (or the placeholder) is exported as encrypted string. This is not portable between GoCD instances. Is it somehow possible to specify it in JSON as plain text?

Regards,

Helge

[Helge Walter]

Hello Kritika,

you were right, I had a typo of the pipeline group name in the rules of the secret config. But correcting this did not solve the error message.

But I tried to execute the pipeline and it worked. The git repository was checked out on the agents. It seems that this is only a bug of the "Verify connection" function.

Regards,

Helge

[Aravind SV]

Hello Helge,

A question regarding Pipelines as code: When exporting the pipeline, e.g. as JSON, the password (or the placeholder) is exported as encrypted string. This is not portable between GoCD instances. Is it somehow possible to specify it in JSON as plain text?

I think not. At the time the export happens, the pipeline does not even know that the secret is defined using a secret parameter. Same with templates. So, you’ll need to replace is after the export. :(

Cheers,
Aravind

[Helge Walter]

I had a look at the implementation of the JSON and Groovy Config Repo Plugins and found that you can specify a plain text password there for usage with such secrets. This is nice :)