ContextQMD
Back to Dagger

Use Secret Variable

docs/versioned_docs/version-0.18.19/partials/cookbook/secrets/_use-secret-variable.mdx

0.21.53.6 KB
Original Source

Use secret variables

The following Dagger Function accepts a GitHub personal access token as a Secret, and uses the Secret to authorize a request to the GitHub API. The secret may be sourced from the host (via an environment variable, host file, or host command) or from an external secrets manager (1Password or Vault):

<Tabs groupId="language" queryString="sdk"> <TabItem value="go" label="Go">
go
</TabItem> <TabItem value="python" label="Python">
python
</TabItem> <TabItem value="typescript" label="TypeScript">
typescript
</TabItem> </Tabs>

Using Environment Variables

You can use a secret sourced from an environment variable by running the following command:

<Tabs groupId="shell"> <TabItem value="System shell"> ```shell dagger -c 'github-api env://GITHUB_API_TOKEN' ``` </TabItem> <TabItem value="Dagger Shell"> ```shell title="First type 'dagger' for interactive mode." github-api env://GITHUB_API_TOKEN ``` </TabItem> <TabItem value="Dagger CLI"> ```shell dagger call github-api --token=env://GITHUB_API_TOKEN ``` </TabItem> </Tabs>

Passing Files

You can also pass files to secrets by following the example below:

<Tabs groupId="shell"> <TabItem value="System shell"> ```shell dagger -c 'github-api file://./github.txt' ``` </TabItem> <TabItem value="Dagger Shell"> ```shell title="First type 'dagger' for interactive mode." github-api file://./github.txt ``` </TabItem> <TabItem value="Dagger CLI"> ```shell dagger call github-api --token=file://./github.txt ``` </TabItem> </Tabs>

Secrets from command output

Secrets also support capturing data from running commands.

<Tabs groupId="shell"> <TabItem value="System shell"> ```shell dagger -c 'github-api cmd://"gh auth token"' ``` </TabItem> <TabItem value="Dagger Shell"> ```shell title="First type 'dagger' for interactive mode." github-api cmd://"gh auth token" ``` </TabItem> <TabItem value="Dagger CLI"> ```shell dagger call github-api --token=cmd://"gh auth token" ``` </TabItem> </Tabs>

1Password

Use a secret from 1Password:

:::note If using a 1Password service account, ensure that the OP_SERVICE_ACCOUNT_TOKEN environment variable is set.

shell
export OP_SERVICE_ACCOUNT_TOKEN="mytoken"

:::

<Tabs groupId="shell"> <TabItem value="System shell"> ```shell dagger -c 'github-api op://infra/github/credential' ``` </TabItem> <TabItem value="Dagger Shell"> ```shell title="First type 'dagger' for interactive mode." github-api op://infra/github/credential ``` </TabItem> <TabItem value="Dagger CLI"> ```shell dagger call github-api --token=op://infra/github/credential ``` </TabItem> </Tabs>

Hashicorp Vault

You can retrieve secrets from Hashicorp Vault.

:::note Ensure that the VAULT_ADDR and either the VAULT_TOKEN or VAULT_APPROLE_ROLE_ID (for Vault AppRole authentication) environment variables are set.

shell
export VAULT_ADDR="https://127.0.0.1:8200"
export VAULT_TOKEN="gue55me7"
export VAULT_APPROLE_ROLE_ID="roleid-xxx-yyy-zzz"

:::

<Tabs groupId="shell"> <TabItem value="System shell"> ```shell dagger -c 'github-api vault://credentials.github' ``` </TabItem> <TabItem value="Dagger Shell"> ```shell title="First type 'dagger' for interactive mode." github-api vault://credentials.github ``` </TabItem> <TabItem value="Dagger CLI"> ```shell dagger call github-api --token=vault://credentials.github ``` </TabItem> </Tabs>