Skip to content

vaultRotateSecretId

Rotate Vault AppRole Secret ID

Description

This step takes the given Vault secret ID and checks whether it needs to be renewed and if so it will update the secret ID in the configured secret store.

Usage

We recommend to define values of step parameters via .pipeline/config.yml file.
In this case, calling the step is essentially reduced to defining the step name.
Calling the step can be done either in an orchestrator specific way (e.g. via a Jenkins library step) or on the command line.

library('piper-lib-os')

vaultRotateSecretId script: this
piper vaultRotateSecretId

Prerequisites

Parameters

Overview - Step

Name Mandatory Additional information
adoPersonalAccessToken (yes) Vault Secret pass via ENV, Vault or Jenkins credentials
mandatory in case of:
- secretStore=ado
githubToken (yes) Vault Secret pass via ENV, Vault or Jenkins credentials
mandatory in case of:
- secretStore=github
script (yes) Jenkins only reference to Jenkins main pipeline script
vaultAppRoleSecretTokenCredentialsId yes
vaultServerUrl yes
adoOrganization no
adoPipelineId no
adoProject no
daysBeforeExpiry no
githubApiUrl no
jenkinsCredentialDomain no
jenkinsToken no Vault Secret pass via ENV, Vault or Jenkins credentials
jenkinsUrl no Vault Secret pass via ENV, Vault or Jenkins credentials
jenkinsUsername no Vault Secret pass via ENV, Vault or Jenkins credentials
owner no
repository no
secretStore no
vaultNamespace no
verbose no activates debug output

Overview - Execution Environment

Orchestrator-specific only

These parameters are relevant for orchestrator usage and not considered when using the command line option.

Name Mandatory Additional information

Details

adoOrganization

The Azure DevOps organization name

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_adoOrganization (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

adoPersonalAccessToken

The Azure DevOps personal access token

back to overview

Scope Details
Aliases token
Type string
Mandatory mandatory in case of:
- secretStore=ado
Default $PIPER_adoPersonalAccessToken (if set)
Secret yes
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references
Vault resource:
  name: azureDevOpsVaultSecretName
  default value: azure-dev-ops

Vault paths:
  • $(vaultPath)/azure-dev-ops
  • $(vaultBasePath)/$(vaultPipelineName)/azure-dev-ops
  • $(vaultBasePath)/GROUP-SECRETS/azure-dev-ops

adoPipelineId

The Azure DevOps pipeline ID. Also called as definition ID

back to overview

Scope Details
Aliases -
Type int
Mandatory no
Default 0
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

adoProject

The Azure DevOps project ID. Project name also can be used

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_adoProject (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

daysBeforeExpiry

The amount of days before expiry until the secret ID gets rotated

back to overview

Scope Details
Aliases -
Type int
Mandatory no
Default 15
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

githubApiUrl

Set the GitHub API URL that corresponds to the pipeline repository

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default https://api.github.com
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

githubToken

GitHub personal access token as per https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line with the scope 'repo'

back to overview

Scope Details
Aliases - access_token
- token
Type string
Mandatory mandatory in case of:
- secretStore=github
Default $PIPER_githubToken (if set)
Secret yes
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references
Vault resource:
  name: githubVaultSecretName
  default value: github

Vault paths:
  • $(vaultPath)/github
  • $(vaultBasePath)/$(vaultPipelineName)/github
  • $(vaultBasePath)/GROUP-SECRETS/github

jenkinsCredentialDomain

The jenkins credential domain which should be used

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default _
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

jenkinsToken

The jenkins token

back to overview

Scope Details
Aliases token
Type string
Mandatory no
Default $PIPER_jenkinsToken (if set)
Secret yes
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references
Vault resource:
  name: jenkinsVaultSecretName
  default value: jenkins

Vault paths:
  • $(vaultPath)/jenkins
  • $(vaultBasePath)/$(vaultPipelineName)/jenkins
  • $(vaultBasePath)/GROUP-SECRETS/jenkins

jenkinsUrl

The jenkins url

back to overview

Scope Details
Aliases url
Type string
Mandatory no
Default $PIPER_jenkinsUrl (if set)
Secret yes
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references
Vault resource:
  name: jenkinsVaultSecretName
  default value: jenkins

Vault paths:
  • $(vaultPath)/jenkins
  • $(vaultBasePath)/$(vaultPipelineName)/jenkins
  • $(vaultBasePath)/GROUP-SECRETS/jenkins

jenkinsUsername

The jenkins username

back to overview

Scope Details
Aliases userId
Type string
Mandatory no
Default $PIPER_jenkinsUsername (if set)
Secret yes
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references
Vault resource:
  name: jenkinsVaultSecretName
  default value: jenkins

Vault paths:
  • $(vaultPath)/jenkins
  • $(vaultBasePath)/$(vaultPipelineName)/jenkins
  • $(vaultBasePath)/GROUP-SECRETS/jenkins

owner

Owner of the pipeline GitHub repository

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_owner (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references commonPipelineEnvironment:
  reference to: github/owner

repository

Name of the pipeline GitHub repository

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_repository (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references commonPipelineEnvironment:
  reference to: github/repository

script

Jenkins-specific: Used for proper environment setup.

The common script environment of the Jenkinsfile running. Typically the reference to the script calling the pipeline step is provided with the this parameter, as in script: this. This allows the function to access the commonPipelineEnvironment for retrieving, e.g. configuration parameters.

back to overview

Scope Details
Aliases -
Type Jenkins Script
Mandatory yes
Default
Secret no
Configuration scope
  • ☐ parameter
  • ☐ general
  • ☐ steps
  • ☐ stages
Resource references none

secretStore

The store to which the secret should be written back to

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default jenkins
Possible values - jenkins
- ado
- github
Secret no
Configuration scope
  • ☒ parameter
  • ☐ general
  • ☒ steps
  • ☒ stages
Resource references none

vaultAppRoleSecretTokenCredentialsId

The Jenkins credential ID, Azure DevOps variable name, or GitHub Actions secret name for the Vault AppRole Secret ID credential

back to overview

Scope Details
Aliases -
Type string
Mandatory yes
Default $PIPER_vaultAppRoleSecretTokenCredentialsId (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

vaultNamespace

The Vault namespace that should be used (optional)

back to overview

Scope Details
Aliases -
Type string
Mandatory no
Default $PIPER_vaultNamespace (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

vaultServerUrl

The URL for the Vault server to use

back to overview

Scope Details
Aliases -
Type string
Mandatory yes
Default $PIPER_vaultServerUrl (if set)
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

verbose

verbose output

back to overview

Scope Details
Aliases -
Type bool
Mandatory no
Default false
Possible values - true
- false
Secret no
Configuration scope
  • ☒ parameter
  • ☒ general
  • ☒ steps
  • ☒ stages
Resource references none

Exceptions

none

Examples