ContextQMD
Back to Dagger

Use Secret Variable

docs/current_docs/partials/cookbook/secrets/_use-secret-variable.mdx

0.20.75.8 KB
Original Source

Use secret variables

The following Dagger Function accepts a GitHub personal access token as a Secret, and uses the Secret to authorize a request to the GitHub API. The secret may be sourced from the host (via an environment variable, host file, or host command) or from an external secrets manager (1Password, Vault, or AWS Secrets Manager/Parameter Store):

<Tabs groupId="language" queryString="sdk"> <TabItem value="go" label="Go">
go
</TabItem> <TabItem value="python" label="Python">
python
</TabItem> <TabItem value="typescript" label="TypeScript">
typescript
</TabItem> </Tabs>

Using Environment Variables

You can use a secret sourced from an environment variable by running the following command:

<Tabs groupId="shell"> <TabItem value="System shell"> ```shell dagger -c 'github-api env://GITHUB_API_TOKEN' ``` </TabItem> <TabItem value="Dagger Shell"> ```shell title="First type 'dagger' for interactive mode." github-api env://GITHUB_API_TOKEN ``` </TabItem> <TabItem value="Dagger CLI"> ```shell dagger call github-api --token=env://GITHUB_API_TOKEN ``` </TabItem> </Tabs>

Passing Files

You can also pass files to secrets by following the example below:

<Tabs groupId="shell"> <TabItem value="System shell"> ```shell dagger -c 'github-api file://./github.txt' ``` </TabItem> <TabItem value="Dagger Shell"> ```shell title="First type 'dagger' for interactive mode." github-api file://./github.txt ``` </TabItem> <TabItem value="Dagger CLI"> ```shell dagger call github-api --token=file://./github.txt ``` </TabItem> </Tabs>

Secrets from command output

Secrets also support capturing data from running commands.

<Tabs groupId="shell"> <TabItem value="System shell"> ```shell dagger -c 'github-api cmd://"gh auth token"' ``` </TabItem> <TabItem value="Dagger Shell"> ```shell title="First type 'dagger' for interactive mode." github-api cmd://"gh auth token" ``` </TabItem> <TabItem value="Dagger CLI"> ```shell dagger call github-api --token=cmd://"gh auth token" ``` </TabItem> </Tabs>

1Password

Use a secret from 1Password:

:::note If using a 1Password service account, ensure that the OP_SERVICE_ACCOUNT_TOKEN environment variable is set.

shell
export OP_SERVICE_ACCOUNT_TOKEN="mytoken"

:::

<Tabs groupId="shell"> <TabItem value="System shell"> ```shell dagger -c 'github-api op://infra/github/credential' ``` </TabItem> <TabItem value="Dagger Shell"> ```shell title="First type 'dagger' for interactive mode." github-api op://infra/github/credential ``` </TabItem> <TabItem value="Dagger CLI"> ```shell dagger call github-api --token=op://infra/github/credential ``` </TabItem> </Tabs>

Hashicorp Vault

You can retrieve secrets from Hashicorp Vault.

:::note Ensure that the VAULT_ADDR and either the VAULT_TOKEN or VAULT_APPROLE_ROLE_ID (for Vault AppRole authentication) environment variables are set.

shell
export VAULT_ADDR="https://127.0.0.1:8200"
export VAULT_TOKEN="gue55me7"
export VAULT_APPROLE_ROLE_ID="roleid-xxx-yyy-zzz"

:::

<Tabs groupId="shell"> <TabItem value="System shell"> ```shell dagger -c 'github-api vault://credentials.github' ``` </TabItem> <TabItem value="Dagger Shell"> ```shell title="First type 'dagger' for interactive mode." github-api vault://credentials.github ``` </TabItem> <TabItem value="Dagger CLI"> ```shell dagger call github-api --token=vault://credentials.github ``` </TabItem> </Tabs>

AWS Secrets Manager and Parameter Store

You can retrieve secrets from AWS Secrets Manager and AWS Systems Manager Parameter Store. Secrets Manager secrets can by referenced by using the aws+sm prefix in your URI, while Parameter Store secrets can be referenced using the aws+ps prefix respectively.

:::note Ensure that AWS credentials are configured via environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY), the shared credentials file (~/.aws/credentials), or IAM role credentials. The AWS_REGION environment variable must also be set.

shell
export AWS_REGION="us-east-1"
export AWS_ACCESS_KEY_ID="AKIAIOSFODNN7EXAMPLE"
export AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"

:::

AWS Secrets Manager

Use the aws+sm:// scheme with a secret name to retrieve from Secrets Manager:

<Tabs groupId="shell"> <TabItem value="System shell"> ```shell dagger -c 'github-api aws+sm://prod/github/token' ``` </TabItem> <TabItem value="Dagger Shell"> ```shell title="First type 'dagger' for interactive mode." github-api aws+sm://prod/github/token ``` </TabItem> <TabItem value="Dagger CLI"> ```shell dagger call github-api --token=aws+sm://prod/github/token ``` </TabItem> </Tabs>

For JSON secrets, extract a specific field:

<Tabs groupId="shell"> <TabItem value="System shell"> ```shell dagger -c 'github-api aws+sm://prod/credentials?field=github_token' ``` </TabItem> <TabItem value="Dagger Shell"> ```shell title="First type 'dagger' for interactive mode." github-api aws+sm://prod/credentials?field=github_token ``` </TabItem> <TabItem value="Dagger CLI"> ```shell dagger call github-api --token=aws+sm://prod/credentials?field=github_token ``` </TabItem> </Tabs>
AWS Parameter Store

Use the aws+ps:// scheme to retrieve from Parameter Store:

<Tabs groupId="shell"> <TabItem value="System shell"> ```shell dagger -c 'github-api aws+ps://prod/github/token' ``` </TabItem> <TabItem value="Dagger Shell"> ```shell title="First type 'dagger' for interactive mode." github-api aws+ps://prod/github/token ``` </TabItem> <TabItem value="Dagger CLI"> ```shell dagger call github-api --token=aws+ps://prod/github/token ``` </TabItem> </Tabs>