Skip to content

Latest commit

 

History

History
77 lines (64 loc) · 2.39 KB

README.md

File metadata and controls

77 lines (64 loc) · 2.39 KB

CircleCI Example

Pre-requisites

In order to rotate a key that's stored in CircleCI env vars, you'll need:

  1. A GitHub machine user (not a human user) with write access to the GitHub repository that the CircleCI project is linked to.
  2. A CircleCI API key for the GitHub user, which can be generated by logging in to circleci.com as the user, then creating a personal API token.
  3. An env var set on the project in CircleCI.
  4. Auth to actually perform the rotation operation with whichever cloud provider you're using. This will require a service-account or user (with the cloud-provider you're rotating with) that has the required set of permissions. Then, auth will need to be given to cloud-key-rotator (usually in the form of a .json file or env vars).

Configuration

  "AccountKeyLocations": [
    {
      "ServiceAccountName": "my_aws_machine_user",
      "CircleCI": [
        {
          "UsernameProject": "my_org/my_repo"
        },
        {
          "UsernameProject": "my_org/my_other_repo"
        }
      ]
    }
  ],
  "Credentials": {
    "CircleCIAPIToken": "my_circle_ci_api_token"
  }

When rotating AWS keys, there are some optional fields, keyIDEnvVar and keyEnvVar, that represent the env var names in CircleCI, defaulting to values AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY respectively.

So, if you store your Key ID and Key values in env vars in CircleCI that're named differently, you could set something like this instead:

    "CircleCI": [{
      "UsernameProject": "my_org/my_repo",
      "KeyIDEnvVar": "AWS_KEY_ID",
      "KeyEnvVar": "AWS_KEY"
    }]

When rotating GCP keys, to override the default CircleCI env var name (GCLOUD_SERVICE_KEY), you only need to override the KeyEnvVar value (as only a single value, the key, is needed for GCP)

    "CircleCI": [{
      "UsernameProject": "my_org/my_repo",
      "KeyEnvVar": "GCP_KEY"
    }]

If you use a GCP key to interact with GCR, especially for downloading docker images for CircleCI to run your pipelines, then you may want the key to be stored as JSON directly, rather than base64 encoded (which is the default). You can do this easily by setting the Base64Decode option to true in the CircleCI location block, like so:

    "CircleCI": [{
      "UsernameProject": "my_org/my_repo",
      "Base64Decode": true
    }]