Docs Navigation

Semaphore CLI: Secrets

Secrets are a way to store and share sensitive information between your projects, such as passwords, OAuth tokens, and ssh keys.

  1. Overview of Secrets
  2. Creating your first secret
  3. Adding secret to your projects

Commands in the secrets CLI namespace:

  1. List secrets
  2. Show information about secrets
  3. Create new secrets
  4. Rename secrets
  5. Removes secrets from your organization
  6. List files in secrets
  7. Add a file to secrets
  8. Remove a file from secrets
  9. List environment variables in secrets
  10. Add an environment variable to secrets
  11. Remove an environment variable from secrets

Overview of Secrets

A Secret is a colloction that contains a small amount of sensitive data such as a password, a token, or a key, in form of environment variables and configuration files. Such information might otherwise be put in the project specification as environment variables and configuration files. Putting it in a Secret allows for more control over how it is used, and allows the sharing environment variables and files between your projects.

Users with admin access in the organization, can create and destroy secret, or attach them to teams to make them accessible to everyone in that team.

Once the secret is attached to a project, the environment variables and configuration files in the secret are avaiable in builds of that project.

Creating your first secret

Say that your builds need access AWS, and you want to expose AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in your builds on several projects. A secret is the perfect place to store these sensitive variables.

Lets say that the name of your organization is playground and you have admin access rights.

To create a new secret aws-secrets for your organization:

$ sem secrets:create playground/aws-secrets

Add the two environment variables:

$ sem secrets:env-vars:add playground/aws-secrets --name AWS_ACCESS_KEY_ID --content 12345abcde
$ sem secrets:env-vars:add playground/aws-secrets --name AWS_SECRET_ACCESS_KEY --content qweeryy1235

Adding secret to your projects

First, allow your developers to access the secret. If your developers are part of the devs team, you can execute the following:

$ sem teams:secrets:add playground/devs playground/aws-secrets

Then, attach the secret to your project

$ sem projects:secrets:add playground/project-X playground/aws-secrets
$ sem projects:secrets:add playground/project-Y playground/aws-secrets

List secrets

$ sem secrets:list

Examples:

$ sem secrets:list
ID                                    NAME                 CONFIG FILES  ENV VARS
99c7ed43-ac8a-487e-b488-c38bc757a034  renderedtext/tokens             1         0
1133ed43-ac8a-487e-b488-c38bc757a044  renderedtext/secrets            0         1

Show information about secrets

$ sem secrets:info SECRET_NAME

Examples:

$ sem secrets:info renderedtext/tokens
ID                     99c7ed43-ac8a-487e-b488-c38bc757a034
Name                   renderedtext/tokens
Config Files           1
Environment Variables  0
Created                2017-08-01 13:14:40 +0200
Updated                2017-08-02 13:14:40 +0200

Create new secrets

$ sem secrets:create SECRET_NAME

Examples:

$ sem secrets:create renderedtext/tokens
ID                     99c7ed43-ac8a-487e-b488-c38bc757a034
Name                   renderedtext/tokens
Config Files           1
Environment Variables  0
Created                2017-08-01 13:14:40 +0200
Updated                2017-08-02 13:14:40 +0200

Rename secrets

$ sem secrets:rename OLD_SECRETS_NAME NEW_SECRETS_NAME

Examples:

$ sem secrets:create renderedtext/tokens renderedtext/psst
ID                     99c7ed43-ac8a-487e-b488-c38bc757a034
Name                   renderedtext/psst
Config Files           1
Environment Variables  0
Created                2017-08-01 13:14:40 +0200
Updated                2017-08-02 13:14:40 +0200

Removes secrets from your organization

$ sem secrets:delete SECRETS_NAME

Examples:

$ sem secrets:delete renderedtext/tokens
Deleted secret renderedtext/tokens.

List files in secrets

$ sem secrets:files:list SECRET_NAME

Examples:

$ sem secrets:files:list renderedtext/tokens
ID                                    PATH                      ENCRYPTED?
77c7ed43-ac8a-487e-b488-c38bc757a034  /home/runner/a            true
11c7ed43-bc8a-a87e-ba88-a38ba757a034  /home/runner/secrets.txt  true

Add a file to secrets

$ sem secrets:files:add SECRETS_NAME --path-on-semaphore PATH-ON-SEMAPHORE --local-path LOCAL-PATH
Flag Description
--path-on-semaphore Path of the file in builds relative to /home/runner directory.
required
--local-path Location of the file on the local machine.
required

Examples:

$ sem secrets:files:add renderedtext/tokens --local-path /tmp/secrets.json --path-on-semaphore secrets.json
Added /home/runner/secrets.txt to renderedtext/secrets.

Remove a file from secrets

$ sem secrets:files:remove SECRETS_NAME --path PATH
Flag Description
--path Path of the file in builds relative to /home/runner directory.
required

Examples:

$ sem secrets:files:remove renderedtext/secrets --path secrets.json
Removed /home/runner/secrets.txt from renderedtext/secrets.

List environment variables in secrets

$ sem secrets:env-vars:list SECRET_NAME

Examples:

$ sem secrets:files:list renderedtext/tokens
ID                                    NAME    ENCRYPTED?  CONTENT
9997ed43-ac8a-487e-b488-c38bc757a034  SECRET  true        aaa
1117ed43-tc8a-387e-6488-838bc757a034  TOKEN   true        *encrypted*

Add an environment variable to secrets

$ sem secrets:env-vars:add SECRET_NAME --name NAME --content CONTENT
Flag Description
--name Name of the variable.
required
--content Content of the variable.
required

Examples:

$ sem secrets:env-vars:add renderedtext/secrets --name TOKEN --content "s3cr3t"
Added TOKEN to renderedtext/secrets.

Remove an environment variable from secrets

$ sem secrets:env-vars:remove SECRETS_NAME --name NAME
Flag Description
--name Name of the variable.
required

Examples:

$ sem secrets:env-vars:remove renderedtext/secrets --name TOKEN
Removed TOKEN from renderedtext/secrets.

Semaphore Docs are open source — Edit on GitHub

Newsletter

Occasional lightweight product and blog updates. Unsubscribe at any time.

2009-2017 © Rendered Text. All rights reserved. Terms of Service, Privacy policy, Security.