├── plugin.yml ├── hooks └── environment ├── README.md ├── LICENSE └── lib └── environment.py /plugin.yml: -------------------------------------------------------------------------------- 1 | name: Akeyless secrets integration 2 | description: Sets up environment in Buildkite containing secrets from Akeyless. 3 | author: Dropbox 4 | requirements: 5 | - python3 6 | configuration: 7 | properties: 8 | audience: 9 | type: string 10 | description: "The audience for the Akeyless token. Defaults to 'buildkite'." 11 | default: "buildkite" 12 | akeyless_url: 13 | type: string 14 | description: "The URL of the Akeyless server. Defaults to https://api.akeyless.io'." 15 | default: "https://api.akeyless.io" 16 | auth_access_id: 17 | type: string 18 | description: "The Akeyless access ID for authentication." 19 | auth_secret_name: 20 | type: string 21 | description: Agent secret name - if the auth access id is stored in an agent secret." 22 | secrets: 23 | type: object 24 | description: "Mapping of env var to Akeyless paths - where each env var will receive the value of the Akeyless path." 25 | store_token: 26 | type: boolean 27 | description: "Whether to store the Akeyless token in an environment variable." 28 | default: false 29 | additionalProperties: false -------------------------------------------------------------------------------- /hooks/environment: -------------------------------------------------------------------------------- 1 | #!/bin/bash -eu 2 | 3 | set -euo pipefail 4 | 5 | install_macos_certificates() { 6 | if [[ "$OSTYPE" == "darwin"* ]]; then 7 | echo "Detected macOS, checking SSL certificates..." 8 | 9 | # Try to find and run the Install Certificates command 10 | # First, get the actual Python version being used 11 | python_version=$(python3 -c "import sys; print(f'{sys.version_info.major}.{sys.version_info.minor}')") 12 | echo "Detected Python version: $python_version" 13 | 14 | # Get the Python executable path to help locate the Install Certificates script 15 | python_exec=$(python3 -c "import sys; print(sys.executable)") 16 | echo "Python executable: $python_exec" 17 | 18 | # Try different common locations for the Install Certificates command 19 | cert_command_paths=( 20 | "/Applications/Python ${python_version}/Install Certificates.command" 21 | "$(dirname "$python_exec")/../Resources/Install Certificates.command" 22 | "$(dirname "$python_exec")/Install Certificates.command" 23 | "/usr/local/lib/python${python_version}/site-packages/Install Certificates.command" 24 | ) 25 | 26 | cert_installed=false 27 | for cert_command in "${cert_command_paths[@]}"; do 28 | if [[ -f "$cert_command" ]]; then 29 | echo "Found Install Certificates at: $cert_command" 30 | echo "Running Install Certificates..." 31 | if "$cert_command"; then 32 | echo "Successfully ran Install Certificates" 33 | cert_installed=true 34 | break 35 | else 36 | echo "Warning: Install Certificates command failed" 37 | fi 38 | fi 39 | done 40 | 41 | if [[ "$cert_installed" == "false" ]]; then 42 | echo "No Install Certificates.command found for Python $python_version" 43 | echo "SSL certificate verification may fail - consider manually running the Install Certificates command" 44 | fi 45 | fi 46 | } 47 | 48 | # Install certificates before running the Python script 49 | install_macos_certificates 50 | 51 | DIR="$(cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd)" 52 | python3 $DIR/../lib/environment.py -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Akeyless BuildKite Plugin 2 | 3 | Integration between Akeyless and BuildKite with JWT authentication. Allows for secrets retrieval into environment variables. 4 | 5 | ## Requirements 6 | 7 | 1. The environment should have `python3` in $PATH 8 | 2. A JWT Auth method is created in Akeyless. See: 9 | 3. The access-id of the auth method created in (2) 10 | 11 | ## Example 12 | 13 | Add the following to your `pipeline.yml`: 14 | 15 | ```yml 16 | steps: 17 | - command: echo "Hello World" 18 | plugins: 19 | - dropbox/akeyless-buildkite-plugin: 20 | auth_access_id: "p-myid1729" 21 | secrets: 22 | MY_ENV_VAR1: path/to/secret/var1 23 | MY_ENV_VAR2: path/to/secret/var2 24 | ``` 25 | 26 | or to not expose auth access id: 27 | ```yml 28 | steps: 29 | - command: echo "Hello World" 30 | plugins: 31 | - dropbox/akeyless-buildkite-plugin: 32 | auth_secret_name: "AUTH_ID_SECRET" # See: https://buildkite.com/docs/pipelines/security/secrets/buildkite-secrets 33 | secrets: 34 | MY_ENV_VAR1: path/to/secret/var1 35 | MY_ENV_VAR2: path/to/secret/var2 36 | ``` 37 | 38 | ## Configuration 39 | 40 | ### `audience` (Optional, string) 41 | 42 | The audience for the Akeyless token. Defaults to 'buildkite'. Should match the audience configured when creating the Akeyless Auth Method 43 | 44 | ### `akeyless_url` (Optional, string) 45 | 46 | The URL of the Akeyless API server. Defaults to ''. 47 | 48 | ### `auth_access_id` (Required, string) 49 | 50 | The Akeyless access ID for authentication. This can be retrieved either via Akeyless CLI, Console, or UI. See: . 51 | 52 | ### `auth_secret_name` (Required, string) 53 | 54 | Use an agent secret to get `auth_access_id` instead of inputting it directly. See: https://buildkite.com/docs/pipelines/security/secrets/buildkite-secrets 55 | 56 | ### `secrets` (Required, object) 57 | 58 | Mapping of env var to Akeyless paths - where each env var will receive the value of the Akeyless path. Invalid paths (insufficient permissions, non-existent) will be ignored. 59 | 60 | ### `store_token` (Optional, boolean) 61 | 62 | Whether to store the Akeyless token in an environment variable. If true, the access token will be stored (and redacted) in the `AKEYLESS_TOKEN` env var. 63 | 64 | When used, be mindful that there is a TTL on this oken (Default: 15m). 65 | 66 | ## License 67 | 68 | Unless otherwise noted: 69 | 70 | ``` 71 | Copyright (c) 2025 Dropbox, Inc. 72 | 73 | Licensed under the Apache License, Version 2.0 (the "License"); 74 | you may not use this file except in compliance with the License. 75 | You may obtain a copy of the License at 76 | 77 | http://www.apache.org/licenses/LICENSE-2.0 78 | 79 | Unless required by applicable law or agreed to in writing, software 80 | distributed under the License is distributed on an "AS IS" BASIS, 81 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 82 | See the License for the specific language governing permissions and 83 | limitations under the License. 84 | ``` 85 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /lib/environment.py: -------------------------------------------------------------------------------- 1 | import json 2 | import os 3 | import subprocess 4 | import sys 5 | import urllib.error 6 | import urllib.request 7 | 8 | from subprocess import PIPE, Popen, STDOUT 9 | 10 | AKEYLESS_AUTH_METHOD = "jwt" 11 | AKEYLESS_TOKEN_ENV_VAR = "AKEYLESS_TOKEN" 12 | 13 | BUILDKITE_PLUGIN_CONFIGURATION = "BUILDKITE_PLUGIN_CONFIGURATION" 14 | BUILDKITE_PLUGIN_AUDIENCE_PROPERTY = "audience" 15 | BUILDKITE_PLUGIN_AKEYLESS_URL_PROPERTY = "akeyless_url" 16 | BUILDKITE_PLUGIN_AUTH_ACCESS_ID_PROPERTY = "auth_access_id" 17 | BUILDKITE_PLUGIN_AUTH_SECRET_NAME_PROPERTY = "auth_secret_name" 18 | BUILDKITE_PLUGIN_SECRETS_PROPERTY = "secrets" 19 | BUILDKITE_STORE_TOKEN_PROPERTY = "store_token" 20 | 21 | DEFAULT_AUDIENCE = "buildkite" 22 | DEFAULT_AKEYLESS_URL = "https://api.akeyless.io" 23 | 24 | def load_plugin_config() -> None: 25 | cfg = os.environ.get(BUILDKITE_PLUGIN_CONFIGURATION) 26 | if not cfg: 27 | print( 28 | f"Error: {BUILDKITE_PLUGIN_CONFIGURATION} is not set", 29 | file=sys.stderr, 30 | ) 31 | sys.exit(1) 32 | try: 33 | return json.loads(cfg) 34 | except json.JSONDecodeError as e: 35 | print(f"Error parsing JSON: {e}", file=sys.stderr) 36 | sys.exit(1) 37 | 38 | 39 | def make_secret_dict(config, property_name) -> dict: 40 | entries = config.get(property_name, []) 41 | if not isinstance(entries, dict): 42 | print( 43 | f"Error: `{property_name}` is not a dict in plugin configuration", 44 | file=sys.stderr, 45 | ) 46 | sys.exit(1) 47 | 48 | return entries 49 | 50 | 51 | def main() -> None: 52 | cfg = load_plugin_config() 53 | 54 | secret_dict = make_secret_dict(cfg, BUILDKITE_PLUGIN_SECRETS_PROPERTY) 55 | if not secret_dict: 56 | print("No secrets found in plugin configuration", file=sys.stderr) 57 | sys.exit(1) 58 | audience = cfg.get(BUILDKITE_PLUGIN_AUDIENCE_PROPERTY, DEFAULT_AUDIENCE) 59 | akeyless_url = cfg.get(BUILDKITE_PLUGIN_AKEYLESS_URL_PROPERTY, DEFAULT_AKEYLESS_URL) 60 | auth_access_id = cfg.get(BUILDKITE_PLUGIN_AUTH_ACCESS_ID_PROPERTY) 61 | store_token = cfg.get(BUILDKITE_STORE_TOKEN_PROPERTY, False) 62 | if not auth_access_id: 63 | print( 64 | f"Warning: {BUILDKITE_PLUGIN_AUTH_ACCESS_ID_PROPERTY} \ 65 | is not set in plugin configuration, retrieving auth access id from agent secret..." 66 | ) 67 | auth_secret_name = cfg.get(BUILDKITE_PLUGIN_AUTH_SECRET_NAME_PROPERTY) 68 | if not auth_secret_name: 69 | print( 70 | f"Error: {BUILDKITE_PLUGIN_AUTH_ACCESS_ID_PROPERTY} \ 71 | or {BUILDKITE_PLUGIN_AUTH_SECRET_NAME_PROPERTY} must be set in plugin configuration", 72 | file=sys.stderr, 73 | ) 74 | sys.exit(1) 75 | 76 | try: 77 | auth_access_id = subprocess.check_output( 78 | ["buildkite-agent", "secret", "get", auth_secret_name], 79 | text=True, 80 | ) 81 | except subprocess.CalledProcessError as e: 82 | print( 83 | f"Error retrieving auth access ID from BuildKite agent: {e}", 84 | file=sys.stderr, 85 | ) 86 | sys.exit(1) 87 | 88 | # First retrieve the signed OIDC JWT from BuildKite agent 89 | # Reference: https://buildkite.com/docs/agent/v3/cli-oidc 90 | print("Retrieving JWT from BuildKite...") 91 | 92 | try: 93 | # Execute buildkite-agent command to get JWT 94 | out = subprocess.check_output( 95 | ["buildkite-agent", "oidc", "request-token", "--audience", audience], 96 | text=True, 97 | ) 98 | jwt = out.strip() 99 | 100 | if not jwt: 101 | print("Failed to retrieve OIDC JWT from BuildKite agent") 102 | sys.exit(1) 103 | 104 | print("Got JWT") 105 | except subprocess.CalledProcessError as e: 106 | print(f"Error executing buildkite-agent command: {e}", file=sys.stderr) 107 | sys.exit(1) 108 | 109 | # Present this JWT to Akeyless to get our access token 110 | # Reference: https://docs.akeyless.io/reference/auth 111 | print("Trading BuildKite's JWT for Akeyless access token...") 112 | 113 | auth_data = { 114 | "access-type": AKEYLESS_AUTH_METHOD, 115 | "json": True, 116 | "access-id": auth_access_id, 117 | "jwt": jwt, 118 | } 119 | 120 | try: 121 | auth_request = urllib.request.Request( 122 | "{}/auth".format(akeyless_url), 123 | data=json.dumps(auth_data).encode("utf-8"), 124 | headers={"accept": "application/json", "content-type": "application/json"}, 125 | ) 126 | 127 | with urllib.request.urlopen(auth_request) as response: 128 | auth_response_data = response.read().decode("utf-8") 129 | token_json = json.loads(auth_response_data) 130 | except urllib.error.HTTPError as e: 131 | print( 132 | f"HTTP error communicating with Akeyless API: {e}", file=sys.stderr 133 | ) 134 | sys.exit(1) 135 | except urllib.error.URLError as e: 136 | print(f"Error communicating with Akeyless API: {e}", file=sys.stderr) 137 | sys.exit(1) 138 | except json.JSONDecodeError as e: 139 | print(f"Error parsing JSON response: {e}", file=sys.stderr) 140 | sys.exit(1) 141 | 142 | token = token_json.get("token") 143 | 144 | if not token: 145 | print("Failed to retrieve access token from Akeyless") 146 | sys.exit(1) 147 | 148 | print("Got access token") 149 | 150 | print("Retrieving secrets...") 151 | # Get the secret from Akeyless 152 | secret_data = { 153 | "json": False, 154 | "token": token, 155 | "names": list(secret_dict.values()), 156 | } 157 | 158 | try: 159 | secret_request = urllib.request.Request( 160 | "{}/get-secret-value".format(akeyless_url), 161 | data=json.dumps(secret_data).encode("utf-8"), 162 | headers={"accept": "application/json", "content-type": "application/json"}, 163 | ) 164 | 165 | with urllib.request.urlopen(secret_request) as response: 166 | secret_response_data = response.read().decode("utf-8") 167 | secret_result = json.loads(secret_response_data) 168 | except urllib.error.HTTPError as e: 169 | print( 170 | f"HTTP error communicating with Akeyless API: {e}", file=sys.stderr 171 | ) 172 | sys.exit(1) 173 | except urllib.error.URLError as e: 174 | print(f"Error communicating with Akeyless API: {e}", file=sys.stderr) 175 | sys.exit(1) 176 | except json.JSONDecodeError as e: 177 | print(f"Error parsing JSON response: {e}", file=sys.stderr) 178 | sys.exit(1) 179 | 180 | assert isinstance(secret_result, dict), ( 181 | "Expected Akeyless response to be a dictionary" 182 | ) 183 | # Convert all secret values into the required form to redact them: {"key":"secret1","key":"secret2"} 184 | 185 | # Store all secrets in the environment (using buildkite-agent env) and add them to redactor 186 | print("Storing secrets in environment variables...") 187 | 188 | # Register retrieved secrets with the redactor and set in BuildKite environment 189 | final_mapping = dict() 190 | for secret_name in secret_dict: 191 | secret_path = secret_dict[secret_name] 192 | secret_value = secret_result.get(secret_path) 193 | if secret_value is None: 194 | print( 195 | f"Warning: Secret `{secret_name}` not found in Akeyless response", 196 | file=sys.stderr, 197 | ) 198 | continue 199 | 200 | final_mapping[secret_name] = secret_value 201 | 202 | if not final_mapping: 203 | print("No valid secrets found in Akeyless response", file=sys.stderr) 204 | sys.exit(1) 205 | 206 | if store_token: 207 | if AKEYLESS_TOKEN_ENV_VAR in final_mapping: 208 | print( 209 | f"Warning: {AKEYLESS_TOKEN_ENV_VAR} already exists in the environment, overwriting it", 210 | file=sys.stderr, 211 | ) 212 | 213 | print(f"Storing Akeyless token in {AKEYLESS_TOKEN_ENV_VAR}") 214 | final_mapping[AKEYLESS_TOKEN_ENV_VAR] = token 215 | 216 | # First add to redactor to ensure sensitive data is properly redacted 217 | print("Adding secrets to redactor...") 218 | 219 | # Ensure all secret values are properly handled as strings 220 | # Some secrets may contain JSON as string values, so we need to ensure 221 | # they are treated as strings and not parsed as nested JSON 222 | safe_mapping = {} 223 | for key, value in final_mapping.items(): 224 | if isinstance(value, str): 225 | # Value is already a string, keep it as is 226 | safe_mapping[key] = value 227 | else: 228 | # Convert non-string values to strings 229 | safe_mapping[key] = str(value) 230 | 231 | # The redactor expects a flat JSON object with key-value pairs 232 | # as per https://buildkite.com/docs/agent/v3/cli-redactor 233 | try: 234 | redactor_json = json.dumps( 235 | safe_mapping, 236 | indent=None, 237 | separators=(",", ":"), 238 | ensure_ascii=True, 239 | ) 240 | except (TypeError, ValueError) as e: 241 | print( 242 | f"Error: Failed to serialize secrets for redactor: {e}", 243 | file=sys.stderr, 244 | ) 245 | print("Skipping redactor setup due to serialization error") 246 | redactor_json = None 247 | 248 | redactor_cmd = ["buildkite-agent", "redactor", "add", "--format=json"] 249 | 250 | if redactor_json: 251 | try: 252 | redactor_process = Popen( 253 | redactor_cmd, stdin=PIPE, stdout=PIPE, stderr=STDOUT, text=True 254 | ) 255 | redactor_stdout, _ = redactor_process.communicate(input=redactor_json) 256 | if redactor_process.returncode != 0: 257 | print( 258 | f"Warning: Redactor command failed with return code " 259 | f"{redactor_process.returncode}: {redactor_stdout}", 260 | file=sys.stderr, 261 | ) 262 | # Log the JSON for debugging (but be careful not to expose secrets) 263 | print( 264 | f"Warning: Failed to parse JSON with " 265 | f"{len(final_mapping)} secrets", 266 | file=sys.stderr, 267 | ) 268 | else: 269 | print("Successfully added secrets to redactor") 270 | except (OSError, subprocess.SubprocessError) as e: 271 | print( 272 | f"Warning: Exception running redactor command: {e}", 273 | file=sys.stderr, 274 | ) 275 | else: 276 | print("Warning: Skipping redactor due to JSON serialization failure") 277 | 278 | # Then set environment variables 279 | print("Setting environment variables...") 280 | 281 | # The env set command expects key-value pairs as an object 282 | # Use the same safe mapping to ensure consistency 283 | try: 284 | env_json = json.dumps( 285 | safe_mapping, indent=None, separators=(",", ":"), ensure_ascii=True 286 | ) 287 | except (TypeError, ValueError) as e: 288 | print( 289 | f"Error: Failed to serialize secrets for environment: {e}", 290 | file=sys.stderr, 291 | ) 292 | sys.exit(1) 293 | 294 | env_set_cmd = [ 295 | "buildkite-agent", 296 | "env", 297 | "set", 298 | "--input-format=json", 299 | "--output-format=quiet", 300 | "-", 301 | ] 302 | env_process = Popen( 303 | env_set_cmd, stdin=PIPE, stdout=PIPE, stderr=STDOUT, text=True 304 | ) 305 | env_stdout, _ = env_process.communicate(input=env_json) 306 | if env_process.returncode != 0: 307 | print( 308 | f"Warning: Environment setting command failed: {env_stdout}", 309 | file=sys.stderr, 310 | ) 311 | else: 312 | print("Successfully set environment variables") 313 | 314 | 315 | if __name__ == "__main__": 316 | main() --------------------------------------------------------------------------------