HashiConf 2024 Now streaming live from Boston! Attend for free
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Integrate with GitLab

GitLab customers can retrieve secrets from HCP Vault Secrets using the HCP command-line interface (CLI).

Prerequisites:

  • A GitLab repository with permissions for viewing and modifying CI/CD job variables.
  • An Admin role in an HCP Project
  • An HCP Vault Secrets application and secret(s)

Service principal key

  1. Open your web browser and log into the HCP Portal.

  2. Click Access control (IAM). If you see the notification Modifying user permissions, click Go to org-name.

  3. Click Service principals.

  4. Enter a name in the Service principal name textbox and click Create service principal.

  5. In the Keys pane, click Create service principal key.

  6. Copy the Client ID and Client secret. These values will be used later to configure GitLab.

HCP organization and project ID

  1. Navigate back to the project dashboard.

  2. Click the HashiCorp logo in the top left corner.

  3. From the Organizations page, click the ellipses for the organization you want to connect to GitLab and select View.

  4. Click Settings and copy the ID. ui-hcp-portal-copy-org-id

  5. Click the Select a project menu and select the project you want to connect to GitLab.

  6. Click Settings and copy project ID ui-hcp-portal-copy-project-id

    The organization ID and project ID values will be used later to configure GitLab.

  7. Click Vault Secrets and copy the name of the application you want to use with GitLab. This value will be used later to configure GitLab.

GitLab

  1. Log into GitLab and access the project you wish to configure for HCP Vault Secrets.

  2. Expand Settings and click CI/CD.

  3. Expand Variables.

  4. Click Add variable.

  5. In Key text box enter VS_APP_NAME, in the Value field enter the application name you copied from the HCP Portal, then click the Mask variable checkbox and click Add variable. If you only have a single project in your HCP organization, you do not need to set the HCP_PROJECT_ID variable.

    Repeat the steps above to create variables for:

    • HCP_CLIENT_ID
    • HCP_CLIENT_SECRET
    • HCP_PROJECT_ID

Configure pipeline

Update your .gitlab-ci.yml to install the HCP CLI and use hcp vault-secrets run to inject secrets as environment variables into any script or command.

Example:

image: ubuntu
build:       # This job runs in the build stage, which runs first.
  stage: build
  script:
    - apt-get update
    - apt-get install wget gpg coreutils lsb-release -y
    - wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
    - echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/hashicorp.list
    - apt-get update && apt-get install hcp
    - hcp vault-secrets run --app=$VS_APP_NAME -- ./bin/build.sh