Travis CI users now can connect Hashicorp Vault with Travis CI. Secrets/configuration may be pulled into CI job from Hashicorp Vault instance instead of storing these permanently at Travis CI native mechanisms. This feature aims to support security policies of teams, who want to maintain easy and full control over secrets via their own Key Management System.
In order to use the feature, a Travis CI user has to:
- have a Hashicorp Vault instance with KV engines enabled
- allow connections to that Vault instance from Travis CI IP addresses
- log into Hashicorp Vault and obtain authentication token, which will be used in Travis CI
- encrypt aforementioned Vault access token with travis-cli
.travis.yml you can now use following convenience hooks:
vault: token: secure: "Your encrypted token goes here" api_url: https://your-vault-kv2-api.endpoint secrets: - ns1/project_id/secret_key_a #path to a secret in Vault KV engine
If using this feature, please consider creating a dedicated CI/CD account in Hashicorp Vault with access only to secrets (credentials) or configuration entries required by the CI/CD pipeline. This will help limit security related risks.