Docs Navigation

Semaphore CLI: Secrets

Secrets are a way to store and share sensitive information between your projects, such as passwords, OAuth tokens, and ssh keys.

  1. Overview of Secrets
  2. Creating your first secret
  3. Adding secret to your projects

Commands in the secrets CLI namespace:

  1. List secrets
  2. Show information about secrets
  3. Create new secrets
  4. Rename secrets
  5. Removes secrets from your organization
  6. List files in secrets
  7. Add a file to secrets
  8. Remove a file from secrets
  9. List environment variables in secrets
  10. Add an environment variable to secrets
  11. Remove an environment variable from secrets

# Overview of Secrets

A Secret is a colloction that contains a small amount of sensitive data such as a password, a token, or a key, in form of environment variables and configuration files. Such information might otherwise be put in the project specification as environment variables and configuration files. Putting it in a Secret allows for more control over how it is used, and allows the sharing environment variables and files between your projects.

Users with admin access in the organization, can create and destroy secret, or attach them to teams to make them accessible to everyone in that team.

Once the secret is attached to a project, the environment variables and configuration files in the secret are avaiable in builds of that project.

# Creating your first secret

Say that your builds need access AWS, and you want to expose AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in your builds on several projects. A secret is the perfect place to store these sensitive variables.

Lets say that the name of your organization is playground and you have admin access rights.

To create a new secret aws-secrets for your organization:

$ sem secrets:create playground/aws-secrets

Add the two environment variables:

$ sem secrets:env-vars:add playground/aws-secrets --name AWS_ACCESS_KEY_ID --content 12345abcde
$ sem secrets:env-vars:add playground/aws-secrets --name AWS_SECRET_ACCESS_KEY --content qweeryy1235

# Adding secret to your projects

First, allow your developers to access the secret. If your developers are part of the devs team, you can execute the following:

$ sem teams:secrets:add playground/devs playground/aws-secrets

Then, attach the secret to your project

$ sem projects:secrets:add playground/project-X playground/aws-secrets
$ sem projects:secrets:add playground/project-Y playground/aws-secrets

# List secrets

$ sem secrets:list

Examples:

$ sem secrets:list
ID                                    NAME                 CONFIG FILES  ENV VARS
99c7ed43-ac8a-487e-b488-c38bc757a034  renderedtext/tokens             1         0
1133ed43-ac8a-487e-b488-c38bc757a044  renderedtext/secrets            0         1

# Show information about secrets

$ sem secrets:info SECRETNAME

Examples:

$ sem secrets:info renderedtext/tokens
ID                     99c7ed43-ac8a-487e-b488-c38bc757a034
Name                   renderedtext/tokens
Config Files           1
Environment Variables  0
Created                2017-08-01 13:14:40 +0200
Updated                2017-08-02 13:14:40 +0200

# Create new secrets

$ sem secrets:create SECRETNAME

Examples:

$ sem secrets:create renderedtext/tokens
ID                     99c7ed43-ac8a-487e-b488-c38bc757a034
Name                   renderedtext/tokens
Config Files           1
Environment Variables  0
Created                2017-08-01 13:14:40 +0200
Updated                2017-08-02 13:14:40 +0200

# Rename secrets

$ sem secrets:rename OLDSECRETSNAME NEWSECRETSNAME

Examples:

$ sem secrets:create renderedtext/tokens renderedtext/psst
ID                     99c7ed43-ac8a-487e-b488-c38bc757a034
Name                   renderedtext/psst
Config Files           1
Environment Variables  0
Created                2017-08-01 13:14:40 +0200
Updated                2017-08-02 13:14:40 +0200

# Removes secrets from your organization

$ sem secrets:delete SECRETSNAME

Examples:

$ sem secrets:delete renderedtext/tokens
Deleted secret renderedtext/tokens.

# List files in secrets

$ sem secrets:files:list SECRETNAME

Examples:

$ sem secrets:files:list renderedtext/tokens
ID                                    PATH                      ENCRYPTED?
77c7ed43-ac8a-487e-b488-c38bc757a034  /home/runner/a            true
11c7ed43-bc8a-a87e-ba88-a38ba757a034  /home/runner/secrets.txt  true

# Add a file to secrets

$ sem secrets:files:add SECRETSNAME --path-on-semaphore PATH-ON-SEMAPHORE --local-path LOCAL-PATH
Flag Description
--path-on-semaphore Path of the file in builds relative to /home/runner directory.
required
--local-path Location of the file on the local machine.
required

Examples:

$ sem secrets:files:add renderedtext/tokens --local-path /tmp/secrets.json --path-on-semaphore secrets.json
Added /home/runner/secrets.txt to renderedtext/secrets.

# Remove a file from secrets

$ sem secrets:files:remove SECRETSNAME --path PATH
Flag Description
--path Path of the file in builds relative to /home/runner directory.
required

Examples:

$ sem secrets:files:remove renderedtext/secrets --path secrets.json
Removed /home/runner/secrets.txt from renderedtext/secrets.

# List environment variables in secrets

$ sem secrets:env-vars:list SECRETNAME

Examples:

$ sem secrets:files:list renderedtext/tokens
ID                                    NAME    ENCRYPTED?  CONTENT
9997ed43-ac8a-487e-b488-c38bc757a034  SECRET  true        aaa
1117ed43-tc8a-387e-6488-838bc757a034  TOKEN   true        encrypted

# Add an environment variable to secrets

$ sem secrets:env-vars:add SECRETNAME --name NAME --content CONTENT
Flag Description
--name Name of the variable.
required
--content Content of the variable.
required

Examples:

$ sem secrets:env-vars:add renderedtext/secrets --name TOKEN --content "s3cr3t"
Added TOKEN to renderedtext/secrets.

# Remove an environment variable from secrets

$ sem secrets:env-vars:remove SECRETS_NAME --name NAME
Flag Description
--name Name of the variable.
required

Examples:

$ sem secrets:env-vars:remove renderedtext/secrets --name TOKEN
Removed TOKEN from renderedtext/secrets.

Semaphore Docs are open source — Edit on GitHub

Newsletter

Occasional lightweight product and blog updates. Unsubscribe at any time.

2009-2018 © Rendered Text. All rights reserved. Terms of Service, Privacy policy, Security.