[Solved] Drone agent does not retrieve vault secret

Drone FAQ
1

Hi, I’m using drone docker (both server and agent) (latest image version).
Problems: The drone agent seems does not get secret from vault, but when I use drone cli to debug, it prints the secret.

  • The drone cli cmd:
    drone plugins secret get secret/docker password --endpoint=http://myvaultdomain:3020 --secret=myvaultsecret --repo=gien/drone-ci-test

  • Docker run agent:
    docker run -d -v /var/run/docker.sock:/var/run/docker.sock -e DRONE_RPC_PROTO=https -e DRONE_RPC_HOST=mydomain -e DRONE_RPC_SECRET=rpcsecret -e DRONE_RUNNER_CAPACITY=2 -e DRONE_RUNNER_NAME=cidroneagent-4 -e DRONE_SECRET_PLUGIN_ENDPOINT=http://myvaultdomain:3020 -e DRONE_SECRET_PLUGIN_TOKEN=myvaultsecret -e DRONE_RUNNER_LABELS="name:agent4" -p 7001:3000 --restart always --name runner drone/agent

  • Here is docker run drone/vault:
    docker run --env=SECRET_KEY=mysecretkey --env=VAULT_ADDR=http://myvaultdomain:8200 --env=VAULT_TOKEN=myvaulttoken --env=VAULT_SKIP_VERIFY=true --env=DEBUG=true --publish=3020:3000 drone/vault

  • And the last is my .drone.yaml file:

---
kind: secret
name: username
get:
  path: secret/data/docker
  name: username

---
kind: secret
name: password
get:
  path: secret/data/docker
  name: password

---
kind: pipeline
name: default

node:
  name: agent4

steps:
- name: logging
  image: alpine
  environment:
    USERNAME:
      from_secret: username
    PASSWORD:
      from_secret: password
  commands:
  - env

The loggin step does not print USERNAME env variable

2

The agent is wrongly documented, you need to use DRONE_SECRET_ENDPOINT instead of DRONE_SECRET_PLUGIN_ENDPOINT, and DRONE_SECRET_SECRET instead of DRONE_SECRET_PLUGIN_TOKEN.

Most likely the new variables described in the documentation will also work at some point, but the code doesn’t seem to be updated for them yet. I struggled the same way in this thread.

2 Likes
3

It works correctly, thank you so much :smiley:

1 Like