vaultRotateSecretId

Rotate Vault AppRole Secret ID

Description

This step takes the given Vault secret ID and checks whether it needs to be renewed and if so it will update the secret ID in the configured secret store.

Usage

We recommend to define values of step parameters via .pipeline/config.yml file.
In this case, calling the step is essentially reduced to defining the step name.
Calling the step can be done either in an orchestrator specific way (e.g. via a Jenkins library step) or on the command line.

JenkinsCommand Line

library('piper-lib-os')

vaultRotateSecretId script: this

piper vaultRotateSecretId

Prerequisites

Parameters

Overview - Step

Name	Mandatory	Additional information
adoPersonalAccessToken	(yes)	pass via ENV, Vault or Jenkins credentials mandatory in case of: - secretStore=ado
githubToken	(yes)	pass via ENV, Vault or Jenkins credentials mandatory in case of: - secretStore=github
script	(yes)	reference to Jenkins main pipeline script
vaultAppRoleSecretTokenCredentialsId	yes
vaultServerUrl	yes
adoOrganization	no
adoPipelineId	no
adoProject	no
daysBeforeExpiry	no
githubApiUrl	no
jenkinsCredentialDomain	no
jenkinsToken	no	pass via ENV, Vault or Jenkins credentials
jenkinsUrl	no	pass via ENV, Vault or Jenkins credentials
jenkinsUsername	no	pass via ENV, Vault or Jenkins credentials
owner	no
repository	no
secretStore	no
vaultNamespace	no
verbose	no	activates debug output

Overview - Execution Environment

Orchestrator-specific only

These parameters are relevant for orchestrator usage and not considered when using the command line option.

Name	Mandatory	Additional information

Details

adoOrganization

The Azure DevOps organization name

back to overview

Scope	Details
Aliases	-
Type	string
Mandatory	no
Default	$PIPER_adoOrganization (if set)
Secret	no
Configuration scope	☒ parameter ☒ general ☒ steps ☒ stages
Resource references	none

adoPersonalAccessToken

The Azure DevOps personal access token

back to overview

Scope	Details
Aliases	token
Type	string
Mandatory	mandatory in case of: - secretStore=ado
Default	$PIPER_adoPersonalAccessToken (if set)
Secret	yes
Configuration scope	☒ parameter ☐ general ☒ steps ☒ stages
Resource references	Vault paths: $(vaultPath)/azure-dev-ops $(vaultBasePath)/$(vaultPipelineName)/azure-dev-ops $(vaultBasePath)/GROUP-SECRETS/azure-dev-ops

adoPipelineId

The Azure DevOps pipeline ID. Also called as definition ID

back to overview

Scope	Details
Aliases	-
Type	int
Mandatory	no
Default	0
Secret	no
Configuration scope	☒ parameter ☐ general ☒ steps ☒ stages
Resource references	none

adoProject

The Azure DevOps project ID. Project name also can be used

back to overview

Scope	Details
Aliases	-
Type	string
Mandatory	no
Default	$PIPER_adoProject (if set)
Secret	no
Configuration scope	☒ parameter ☐ general ☒ steps ☒ stages
Resource references	none

daysBeforeExpiry

The amount of days before expiry until the secret ID gets rotated

back to overview

Scope	Details
Aliases	-
Type	int
Mandatory	no
Default	15
Secret	no
Configuration scope	☒ parameter ☐ general ☒ steps ☒ stages
Resource references	none

githubApiUrl

Set the GitHub API URL that corresponds to the pipeline repository

back to overview

Scope	Details
Aliases	-
Type	string
Mandatory	no
Default	https://api.github.com
Secret	no
Configuration scope	☒ parameter ☒ general ☒ steps ☒ stages
Resource references	none

githubToken

GitHub personal access token as per https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line with the scope 'repo'

back to overview

Scope	Details
Aliases	- access_token - token
Type	string
Mandatory	mandatory in case of: - secretStore=github
Default	$PIPER_githubToken (if set)
Secret	yes
Configuration scope	☒ parameter ☒ general ☒ steps ☒ stages
Resource references	Vault paths: $(vaultPath)/github $(vaultBasePath)/$(vaultPipelineName)/github $(vaultBasePath)/GROUP-SECRETS/github

jenkinsCredentialDomain

The jenkins credential domain which should be used

back to overview

Scope	Details
Aliases	-
Type	string
Mandatory	no
Default	_
Secret	no
Configuration scope	☒ parameter ☐ general ☒ steps ☒ stages
Resource references	none

jenkinsToken

The jenkins token

back to overview

Scope	Details
Aliases	token
Type	string
Mandatory	no
Default	$PIPER_jenkinsToken (if set)
Secret	yes
Configuration scope	☒ parameter ☐ general ☒ steps ☒ stages
Resource references	Vault paths: $(vaultPath)/jenkins $(vaultBasePath)/$(vaultPipelineName)/jenkins $(vaultBasePath)/GROUP-SECRETS/jenkins

jenkinsUrl

The jenkins url

back to overview

Scope	Details
Aliases	url
Type	string
Mandatory	no
Default	$PIPER_jenkinsUrl (if set)
Secret	yes
Configuration scope	☒ parameter ☐ general ☒ steps ☒ stages
Resource references	Vault paths: $(vaultPath)/jenkins $(vaultBasePath)/$(vaultPipelineName)/jenkins $(vaultBasePath)/GROUP-SECRETS/jenkins

jenkinsUsername

The jenkins username

back to overview

Scope	Details
Aliases	userId
Type	string
Mandatory	no
Default	$PIPER_jenkinsUsername (if set)
Secret	yes
Configuration scope	☒ parameter ☐ general ☒ steps ☒ stages
Resource references	Vault paths: $(vaultPath)/jenkins $(vaultBasePath)/$(vaultPipelineName)/jenkins $(vaultBasePath)/GROUP-SECRETS/jenkins

owner

Owner of the pipeline GitHub repository

back to overview

Scope	Details
Aliases	-
Type	string
Mandatory	no
Default	$PIPER_owner (if set)
Secret	no
Configuration scope	☒ parameter ☒ general ☒ steps ☒ stages
Resource references	commonPipelineEnvironment:   reference to: github/owner

repository

Name of the pipeline GitHub repository

back to overview

Scope	Details
Aliases	-
Type	string
Mandatory	no
Default	$PIPER_repository (if set)
Secret	no
Configuration scope	☒ parameter ☒ general ☒ steps ☒ stages
Resource references	commonPipelineEnvironment:   reference to: github/repository

script

Jenkins-specific: Used for proper environment setup.

The common script environment of the Jenkinsfile running. Typically the reference to the script calling the pipeline step is provided with the this parameter, as in script: this. This allows the function to access the commonPipelineEnvironment for retrieving, e.g. configuration parameters.

back to overview

Scope	Details
Aliases	-
Type	Jenkins Script
Mandatory	yes
Default
Secret	no
Configuration scope	☐ parameter ☐ general ☐ steps ☐ stages
Resource references	none

secretStore

The store to which the secret should be written back to

back to overview

Scope	Details
Aliases	-
Type	string
Mandatory	no
Default	jenkins
Possible values	- jenkins - ado - github
Secret	no
Configuration scope	☒ parameter ☐ general ☒ steps ☒ stages
Resource references	none

vaultAppRoleSecretTokenCredentialsId

The Jenkins credential ID, Azure DevOps variable name, or GitHub Actions secret name for the Vault AppRole Secret ID credential

back to overview

Scope	Details
Aliases	-
Type	string
Mandatory	yes
Default	$PIPER_vaultAppRoleSecretTokenCredentialsId (if set)
Secret	no
Configuration scope	☒ parameter ☒ general ☒ steps ☒ stages
Resource references	none

vaultNamespace

The Vault namespace that should be used (optional)

back to overview

Scope	Details
Aliases	-
Type	string
Mandatory	no
Default	$PIPER_vaultNamespace (if set)
Secret	no
Configuration scope	☒ parameter ☒ general ☒ steps ☒ stages
Resource references	none

vaultServerUrl

The URL for the Vault server to use

back to overview

Scope	Details
Aliases	-
Type	string
Mandatory	yes
Default	$PIPER_vaultServerUrl (if set)
Secret	no
Configuration scope	☒ parameter ☒ general ☒ steps ☒ stages
Resource references	none

verbose

verbose output

back to overview

Scope	Details
Aliases	-
Type	bool
Mandatory	no
Default	false
Possible values	- true - false
Secret	no
Configuration scope	☒ parameter ☒ general ☒ steps ☒ stages
Resource references	none

Exceptions

none

Examples