TeamCity

TeamCity supports native parameters and tokens to secure CI/CD pipelines, and also features the ability to add extra security through external secret managers like Vault. You can use the TeamCity Vault plugin to store sensitive values in Vault KV secrets engines.

You can set up a Vault connection to authenticate with either the AppRole or LDAP auth methods. Here's example code to set up a connection with AppRole defined in TeamCity's Kotlin domain specific language:

project {

    features {
        hashiCorpVaultConnection {
            id = "HashiCups"
            name = "HashiCorp Vault"
            url = "http://127.0.0.1:8200/"
            vaultNamespace = "enterprise/vault/namespace"
            authMethod = appRole {
                roleId = "..."
                secretId = "..."
            }
        }
    }
}

The connection details specify metadata, a Vault server address, optional Vault enterprise namespace name, and the AppRole auth method roleID and secretID values.

After you define the connection, you can define a parameter to use a Vault secret in your TeamCity pipeline. Here is an example to use a static secret and set it as the pipeline environment variable AWS_ACCESS_KEY_ID:

project {
    params {
        hashiCorpVaultParameter {
            name = "env.AWS_ACCESS_KEY_ID"
            query = "secret/data/awscreds!/access_key"
            vaultId = "HashiCups"
        }
    }
}

You can learn more in the TeamCity HashiCorp Vault integration documentation.

External resources:

• HashiCorp Vault Integration
• TeamCity Plugin for HashiCorp Vault
• TeamCity Plugin for HashiCorp Vault code repository
• Video Resources:
  • New in TeamCity: Remote Parameters and Updated HashiCorp Vault Plugin

Next steps

In this section of managing CI/CD secrets, you learned about TeamCity and Vault integration. TeamCity and Vault integration is part of the Secure systems pillar.