[SOLVED] Drone 1.0.0-rc.1 secret doesn't work

v7lin · December 2, 2018, 5:05pm

- name: alpine
  image: alpine
  environment:
    USERNAME:
      from_secret: MAC_USER
  commands:
  - echo ${MAC_USER}/${USERNAME}
  - echo ${DRONE_TAG}/${DRONE_BRANCH}/${DRONE_COMMIT}

- name: ssh-docker-host
  image: appleboy/drone-ssh
  settings:
    host: host.docker.internal
    port: 22
    username:
      from_secret: MAC_USER
    password:
      from_secret: MAC_PASSWORD
    script:
    - date -R
    - system_profiler SPSoftwareDataType
    - bash -lc 'flutter --version'
    - date -R

+ echo /
/
+ echo /master/706345abefd33d3d80409a45e39d71b016e8a0aa
/master/706345abefd33d3d80409a45e39d71b016e8a0aa

it doesn’t print MAC_USER or USERNAME

======CMD======
date -R
system_profiler SPSoftwareDataType
bash -lc 'flutter --version'
date -R
======END======
out: Mon, 03 Dec 2018 01:01:00 +0800
out: Software:
out: 
out:     System Software Overview:
out: 
out:       System Version: macOS 10.14.1 (18B75)
out:       Kernel Version: Darwin 18.2.0
out:       Boot Volume: Macintosh HD
out:       Boot Mode: Normal
out:       Computer Name: ********-mbp
out:       User Name: 林恒龙 (********)
out:       Secure Virtual Memory: Enabled
out:       System Integrity Protection: Enabled
out:       Time since boot: 3:58
out: 
out: Flutter 0.11.13 • channel beta • https://github.com/flutter/flutter.git
out: Framework • revision 58c8489fcd (3 days ago) • 2018-11-29 19:20:18 -0500
out: Engine • revision 7375a0f414
out: Tools • Dart 2.1.0 (build 2.1.0-dev.9.4 f9ebf21297)
out: Mon, 03 Dec 2018 01:01:01 +0800
==========================================
Successfully executed commands to all host.
==========================================

bradrydzewski · December 2, 2018, 5:31pm

you need to do this:

  - name: alpine
    image: alpine
    environment:
      USERNAME:
        from_secret: MAC_USER
    commands:
-   - echo ${USERNAME}
+   - echo $USERNAME

or this:

  - name: alpine
    image: alpine
    environment:
      USERNAME:
        from_secret: MAC_USER
    commands:
-   - echo ${USERNAME}
+   - echo $${USERNAME}

This is because when you include a $ in your yaml it needs to be escaped:

You can use a $$ (double-dollar sign) when your configuration needs a literal dollar sign. This prevents Drone from interpolating a value, so a $$ allows you to refer to environment variables that you don’t want processed by Drone.

v7lin · December 3, 2018, 1:35am

… thanks a lot …

v7lin · December 3, 2018, 1:54am

- name: build-ios
  image: appleboy/drone-ssh
  environment:
    MAC_USER:
      from_secret: MAC_USER
    MAC_PASSWORD:
      from_secret: MAC_PASSWORD
  settings:
    host: host.docker.internal
    port: 22
    username:
      from_secret: MAC_USER
    password:
      from_secret: MAC_PASSWORD
    command_timeout: 600
    envs: [ MAC_USER,MAC_PASSWORD ]
    script:
    - date -R
    - echo $${MAC_USER}/$${MAC_PASSWORD}
    - bash -lc 'security unlock-keychain -p 123456 login.keychain'
    - bash -lc 'security unlock-keychain -p $${MAC_PASSWORD} login.keychain'
    - date -R

======CMD======
date -R
echo ${MAC_USER}/${MAC_PASSWORD}
bash -lc 'security unlock-keychain -p ******** login.keychain'
bash -lc 'security unlock-keychain -p ${MAC_PASSWORD} login.keychain'
date -R
======END======
out: Mon, 03 Dec 2018 09:49:29 +0800
out: ********/********
out: Mon, 03 Dec 2018 09:49:29 +0800
err: security: SecKeychainUnlock <NULL>: The user name or passphrase you entered is not correct.
==========================================
Successfully executed commands to all host.
==========================================

secret doesn’t work in command line

- bash -lc 'security unlock-keychain -p $${MAC_PASSWORD} login.keychain'

err: security: SecKeychainUnlock <NULL>: The user name or passphrase you entered is not correct.

bradrydzewski · December 3, 2018, 2:26am

This is a problem with your bash scripting. You are using single-quotes in your script. When you use single quotes, it is a string literal, and your environment variables will not be expanded.

see this stackoverflow: https://stackoverflow.com/questions/13799789/expansion-of-variable-inside-single-quotes-in-a-command-in-bash

bradrydzewski · December 3, 2018, 2:31am

Also, if I understand your post correctly, you are also trying to run this from command line with drone exec (if I misunderstood, you can ignore this). When you run your pipeline locally you need to pass your secrets to drone exec. The drone exec command does not have any access to secrets stored in the drone server.

$ cat <<EOF > secrets.txt
MAC_USER=xxxx
MAC_PASSWORD=yyyy
EOF
$ drone exec --secret-file=secrets.txt

v7lin · December 3, 2018, 2:43am

ssh should use

bash -lc 'xxx'

load environment

v7lin · December 3, 2018, 2:51am

thanks a lot, I have solved it.

- name: ssh-docker-host
  image: appleboy/drone-ssh
  environment:
    MAC_USER:
      from_secret: MAC_USER
    MAC_PASSWORD:
      from_secret: MAC_PASSWORD
  settings:
    host: host.docker.internal
    port: 22
    username:
      from_secret: MAC_USER
    password:
      from_secret: MAC_PASSWORD
    envs: [ MAC_USER,MAC_PASSWORD ]
    script:
    - date -R
    - system_profiler SPSoftwareDataType
    - bash -lc 'flutter --version'
    - echo $MAC_USER/$MAC_PASSWORD
    - echo $${MAC_USER}/$${MAC_PASSWORD}
    - bash -lc 'security unlock-keychain -p '$${MAC_PASSWORD}' login.keychain'
    - date -R

Topic		Replies	Views
Problems with Secrets Drone FAQ	1	5919	December 19, 2018
Why environment and envs are not working? Drone Support environment	1	549	March 21, 2022
[solved] Secrets not available to drone exec --local Drone Support	4	3716	September 19, 2017
Drone with ansible plugin does not authenticate SSH key Drone Support	0	234	June 15, 2023
Kubernetes plugin command variables not expanding? Drone Support	2	277	March 27, 2021

[SOLVED] Drone 1.0.0-rc.1 secret doesn't work

Related topics