woodpecker/docs/docs/20-usage/40-secrets.md

# Secrets

Woodpecker provides the ability to store named parameters external to the YAML configuration file, in a central secret store. These secrets can be passed to individual steps of the pipeline at runtime.

Secrets are exposed to your pipeline steps and plugins as uppercase environment variables and can therefore be referenced in the commands section of your pipeline.

```diff
pipeline:
  docker:
    image: docker
    commands:
+     - echo $DOCKER_USERNAME
+     - echo $DOCKER_PASSWORD
+   secrets: [ docker_username, docker_password ]
```

Alternatively, you can get a `setting` from secrets using the `from_secret` syntax.
In this example, the secret named `secret_token` would be passed to the pipeline as `PLUGIN_TOKEN`.

**NOTE:** the `from_secret` syntax only works with the newer `settings` block.

```diff
pipeline:
  docker:
    image: my-plugin
    settings:
+     token:
+       from_secret: secret_token
```


Please note parameter expressions are subject to pre-processing. When using secrets in parameter expressions they should be escaped.

```diff
pipeline:
  docker:
    image: docker
    commands:
-     - echo ${DOCKER_USERNAME}
-     - echo ${DOCKER_PASSWORD}
+     - echo $${DOCKER_USERNAME}
+     - echo $${DOCKER_PASSWORD}
    secrets: [ docker_username, docker_password ]
```

## Adding Secrets

Secrets are added to the Woodpecker secret store on the UI or with the CLI.

## Alternate Names

There may be scenarios where you are required to store secrets using alternate names. You can map the alternate secret name to the expected name using the below syntax:

```diff
pipeline:
  docker:
    image: plugins/docker
    repo: octocat/hello-world
    tags: latest
+   secrets:
+     - source: docker_prod_password
+       target: docker_password
```

## Pull Requests

Secrets are not exposed to pull requests by default. You can override this behavior by creating the secret and enabling the `pull_request` event type.

```diff
woodpecker-cli secret add \
  -repository octocat/hello-world \
  -image plugins/docker \
+ -event pull_request \
+ -event push \
+ -event tag \
  -name docker_username \
  -value <value>
```

Please be careful when exposing secrets to pull requests. If your repository is open source and accepts pull requests your secrets are not safe. A bad actor can submit a malicious pull request that exposes your secrets.

## Image filter

To prevent abusing your secrets with malicious pull requests, you can limit a secret to a list of images. They are not available to any other container. In addition, you can make the secret available only for plugins (steps without user-defined commands).

:::warning
If you enable the option "Only available for plugins", always set an image filter too. Otherwise, the secret can be accessed by a very simple self-developed plugin and is thus *not* safe.
If you only set an image filter, you could still access the secret using the same image and by specifying a command that prints it.
:::

## Examples

Create the secret using default settings. The secret will be available to all images in your pipeline, and will be available to all push, tag, and deployment events (not pull request events).

```diff
woodpecker-cli secret add \
  -repository octocat/hello-world \
  -name aws_access_key_id \
  -value <value>
```

Create the secret and limit to a single image:

```diff
woodpecker-cli secret add \
  -repository octocat/hello-world \
+ -image plugins/s3 \
  -name aws_access_key_id \
  -value <value>
```

Create the secrets and limit to a set of images:

```diff
woodpecker-cli secret add \
  -repository octocat/hello-world \
+ -image plugins/s3 \
+ -image peloton/woodpecker-ecs \
  -name aws_access_key_id \
  -value <value>
```

Create the secret and enable for multiple hook events:

```diff
woodpecker-cli secret add \
  -repository octocat/hello-world \
  -image plugins/s3 \
+ -event pull_request \
+ -event push \
+ -event tag \
  -name aws_access_key_id \
  -value <value>
```

Loading secrets from file using curl `@` syntax. This is the recommended approach for loading secrets from file to preserve newlines:

```diff
woodpecker-cli secret add \
  -repository octocat/hello-world \
  -name ssh_key \
+ -value @/root/ssh/id_rsa
```
Pipeline docs 2019-11-15 11:03:15 +00:00			`# Secrets`

Update YAML notes in docs (#928) * close #517 * sed -i 's/Yaml/YAML/g' * Update docs/docs/20-usage/10-intro.md Co-authored-by: qwerty287 <80460567+qwerty287@users.noreply.github.com> Co-authored-by: qwerty287 <80460567+qwerty287@users.noreply.github.com> 2022-05-19 18:07:27 +00:00			`Woodpecker provides the ability to store named parameters external to the YAML configuration file, in a central secret store. These secrets can be passed to individual steps of the pipeline at runtime.`
Pipeline docs 2019-11-15 11:03:15 +00:00
			`Secrets are exposed to your pipeline steps and plugins as uppercase environment variables and can therefore be referenced in the commands section of your pipeline.`

			```diff
			`pipeline:`
			`docker:`
			`image: docker`
			`commands:`
			`+ - echo $DOCKER_USERNAME`
			`+ - echo $DOCKER_PASSWORD`
[Docs] Migrate docs framework to Docusaurus (#282) - Replace mkdocs with docosaurus (improved menu structure, ...) - Structure docs into `Usage` and `Server Setup / Administration` - Update favicon - Create new pipeline-syntax page with all options and links to more detailed docs if available - Add ci to publish to `woodpecker-ci.github.io` - Deploy docs preview to surge for review - Update start-page Co-authored-by: 6543 <6543@obermui.de> 2021-09-11 15:10:32 +00:00			`+ secrets: [ docker_username, docker_password ]`
Pipeline docs 2019-11-15 11:03:15 +00:00			```

Spelling consistently (#1267) Since you gladly accepted my typo fix commit, I started doing some spell and consistency checking for the docs. Co-authored-by: 6543 <6543@obermui.de> 2022-10-14 14:57:45 +00:00			Alternatively, you can get a `setting` from secrets using the `from_secret` syntax.
Get secrets in settings (#604) * Get secrets in settings Signed-off-by: jolheiser <john.olheiser@gmail.com> * Add error test Signed-off-by: jolheiser <john.olheiser@gmail.com> * Add docs Signed-off-by: jolheiser <john.olheiser@gmail.com> 2021-12-13 19:33:07 +00:00			In this example, the secret named `secret_token` would be passed to the pipeline as `PLUGIN_TOKEN`.

			NOTE: the `from_secret` syntax only works with the newer `settings` block.

			```diff
			`pipeline:`
			`docker:`
			`image: my-plugin`
			`settings:`
			`+ token:`
			`+ from_secret: secret_token`
			```


Pipeline docs 2019-11-15 11:03:15 +00:00			`Please note parameter expressions are subject to pre-processing. When using secrets in parameter expressions they should be escaped.`

			```diff
			`pipeline:`
			`docker:`
			`image: docker`
			`commands:`
			`- - echo ${DOCKER_USERNAME}`
			`- - echo ${DOCKER_PASSWORD}`
			`+ - echo $${DOCKER_USERNAME}`
			`+ - echo $${DOCKER_PASSWORD}`
			`secrets: [ docker_username, docker_password ]`
			```

			`## Adding Secrets`

			`Secrets are added to the Woodpecker secret store on the UI or with the CLI.`

			`## Alternate Names`

			`There may be scenarios where you are required to store secrets using alternate names. You can map the alternate secret name to the expected name using the below syntax:`

			```diff
			`pipeline:`
			`docker:`
			`image: plugins/docker`
			`repo: octocat/hello-world`
			`tags: latest`
			`+ secrets:`
			`+ - source: docker_prod_password`
			`+ target: docker_password`
			```

			`## Pull Requests`

			Secrets are not exposed to pull requests by default. You can override this behavior by creating the secret and enabling the `pull_request` event type.

			```diff
[Docs] Migrate docs framework to Docusaurus (#282) - Replace mkdocs with docosaurus (improved menu structure, ...) - Structure docs into `Usage` and `Server Setup / Administration` - Update favicon - Create new pipeline-syntax page with all options and links to more detailed docs if available - Add ci to publish to `woodpecker-ci.github.io` - Deploy docs preview to surge for review - Update start-page Co-authored-by: 6543 <6543@obermui.de> 2021-09-11 15:10:32 +00:00			`woodpecker-cli secret add \`
Pipeline docs 2019-11-15 11:03:15 +00:00			`-repository octocat/hello-world \`
			`-image plugins/docker \`
			`+ -event pull_request \`
			`+ -event push \`
			`+ -event tag \`
			`-name docker_username \`
			`-value <value>`
			```

			`Please be careful when exposing secrets to pull requests. If your repository is open source and accepts pull requests your secrets are not safe. A bad actor can submit a malicious pull request that exposes your secrets.`

Support plugin-only secrets (#1344) Closes #1071 2022-10-27 02:21:07 +00:00			`## Image filter`

			`To prevent abusing your secrets with malicious pull requests, you can limit a secret to a list of images. They are not available to any other container. In addition, you can make the secret available only for plugins (steps without user-defined commands).`

			`:::warning`
			`If you enable the option "Only available for plugins", always set an image filter too. Otherwise, the secret can be accessed by a very simple self-developed plugin and is thus not safe.`
			`If you only set an image filter, you could still access the secret using the same image and by specifying a command that prints it.`
			`:::`

Pipeline docs 2019-11-15 11:03:15 +00:00			`## Examples`

			`Create the secret using default settings. The secret will be available to all images in your pipeline, and will be available to all push, tag, and deployment events (not pull request events).`

			```diff
[Docs] Migrate docs framework to Docusaurus (#282) - Replace mkdocs with docosaurus (improved menu structure, ...) - Structure docs into `Usage` and `Server Setup / Administration` - Update favicon - Create new pipeline-syntax page with all options and links to more detailed docs if available - Add ci to publish to `woodpecker-ci.github.io` - Deploy docs preview to surge for review - Update start-page Co-authored-by: 6543 <6543@obermui.de> 2021-09-11 15:10:32 +00:00			`woodpecker-cli secret add \`
Pipeline docs 2019-11-15 11:03:15 +00:00			`-repository octocat/hello-world \`
			`-name aws_access_key_id \`
			`-value <value>`
			```

			`Create the secret and limit to a single image:`

			```diff
[Docs] Migrate docs framework to Docusaurus (#282) - Replace mkdocs with docosaurus (improved menu structure, ...) - Structure docs into `Usage` and `Server Setup / Administration` - Update favicon - Create new pipeline-syntax page with all options and links to more detailed docs if available - Add ci to publish to `woodpecker-ci.github.io` - Deploy docs preview to surge for review - Update start-page Co-authored-by: 6543 <6543@obermui.de> 2021-09-11 15:10:32 +00:00			`woodpecker-cli secret add \`
Pipeline docs 2019-11-15 11:03:15 +00:00			`-repository octocat/hello-world \`
			`+ -image plugins/s3 \`
			`-name aws_access_key_id \`
			`-value <value>`
			```

			`Create the secrets and limit to a set of images:`

			```diff
[Docs] Migrate docs framework to Docusaurus (#282) - Replace mkdocs with docosaurus (improved menu structure, ...) - Structure docs into `Usage` and `Server Setup / Administration` - Update favicon - Create new pipeline-syntax page with all options and links to more detailed docs if available - Add ci to publish to `woodpecker-ci.github.io` - Deploy docs preview to surge for review - Update start-page Co-authored-by: 6543 <6543@obermui.de> 2021-09-11 15:10:32 +00:00			`woodpecker-cli secret add \`
Pipeline docs 2019-11-15 11:03:15 +00:00			`-repository octocat/hello-world \`
			`+ -image plugins/s3 \`
[Docs] Migrate docs framework to Docusaurus (#282) - Replace mkdocs with docosaurus (improved menu structure, ...) - Structure docs into `Usage` and `Server Setup / Administration` - Update favicon - Create new pipeline-syntax page with all options and links to more detailed docs if available - Add ci to publish to `woodpecker-ci.github.io` - Deploy docs preview to surge for review - Update start-page Co-authored-by: 6543 <6543@obermui.de> 2021-09-11 15:10:32 +00:00			`+ -image peloton/woodpecker-ecs \`
Pipeline docs 2019-11-15 11:03:15 +00:00			`-name aws_access_key_id \`
			`-value <value>`
			```

			`Create the secret and enable for multiple hook events:`

			```diff
[Docs] Migrate docs framework to Docusaurus (#282) - Replace mkdocs with docosaurus (improved menu structure, ...) - Structure docs into `Usage` and `Server Setup / Administration` - Update favicon - Create new pipeline-syntax page with all options and links to more detailed docs if available - Add ci to publish to `woodpecker-ci.github.io` - Deploy docs preview to surge for review - Update start-page Co-authored-by: 6543 <6543@obermui.de> 2021-09-11 15:10:32 +00:00			`woodpecker-cli secret add \`
Pipeline docs 2019-11-15 11:03:15 +00:00			`-repository octocat/hello-world \`
			`-image plugins/s3 \`
			`+ -event pull_request \`
			`+ -event push \`
			`+ -event tag \`
			`-name aws_access_key_id \`
			`-value <value>`
			```

			Loading secrets from file using curl `@` syntax. This is the recommended approach for loading secrets from file to preserve newlines:

			```diff
[Docs] Migrate docs framework to Docusaurus (#282) - Replace mkdocs with docosaurus (improved menu structure, ...) - Structure docs into `Usage` and `Server Setup / Administration` - Update favicon - Create new pipeline-syntax page with all options and links to more detailed docs if available - Add ci to publish to `woodpecker-ci.github.io` - Deploy docs preview to surge for review - Update start-page Co-authored-by: 6543 <6543@obermui.de> 2021-09-11 15:10:32 +00:00			`woodpecker-cli secret add \`
Pipeline docs 2019-11-15 11:03:15 +00:00			`-repository octocat/hello-world \`
			`-name ssh_key \`
			`+ -value @/root/ssh/id_rsa`
			```