Secrets & Vault
Dieser Inhalt ist noch nicht in deiner Sprache verfügbar.
The Orchestrator provides secrets management at three levels: personal, organization, and repository. Secrets are injected into pipeline runs and are never exposed in logs or the UI.
🔐 Built-in Secrets
Section titled “🔐 Built-in Secrets”Creating Secrets
Section titled “Creating Secrets”Navigate to the secrets page for the scope you need:
- Personal: Settings → Secrets
- Organization: Organization Settings → Secrets
- Repository: Project Settings → Secrets
Click Add Secret, enter a key name (e.g. NPM_TOKEN, DEPLOY_KEY) and its value.
Secret Precedence
Section titled “Secret Precedence”When the same key exists at multiple levels, the most specific scope wins:
- Repository secrets (highest priority)
- Organization secrets
- Personal secrets (lowest priority)
Managing Secrets
Section titled “Managing Secrets”Secret values are write-only. You can see which keys are configured but never view the values. You can update a secret’s value by setting it again with the same key, or delete it permanently.
🏦 External Vault (HashiCorp Vault)
Section titled “🏦 External Vault (HashiCorp Vault)”For teams that use HashiCorp Vault, the Orchestrator supports three integration modes:
Internal Mode
Section titled “Internal Mode”The orchestrator manages secrets in its own storage. No external Vault is needed. This is the default.
External: Orchestrator Proxy
Section titled “External: Orchestrator Proxy”The orchestrator connects to your Vault instance and proxies secret requests on behalf of agents. Agents never access Vault directly.
Agent → Orchestrator → VaultExternal: Agent Direct
Section titled “External: Agent Direct”Agents connect to Vault directly during job execution. The orchestrator stores the Vault configuration but doesn’t proxy requests.
Agent → Vault (direct)🔧 Vault Configuration
Section titled “🔧 Vault Configuration”Configure Vault from the settings page at the appropriate scope (Settings → Vault, Organization Settings → Vault, or Project Settings → Vault).
Provide the following:
| Field | Description |
|---|---|
| Vault address | URL of your Vault instance (e.g. https://vault.example.com) |
| Auth method | Token or AppRole |
| Mount path | Secret engine mount (e.g. secret) |
| Path | Path within the mount (e.g. ci/myproject) |
| Namespace | Optional Vault namespace |
For Token auth, provide the Vault token. For AppRole, provide the Role ID and Secret ID.
Use the Test Connection button to validate your configuration before saving.
🛡️ Organization Security Policy
Section titled “🛡️ Organization Security Policy”Organization admins can enforce a vault mode across all projects from Organization Settings → Security Policy. When set to non-overridable, individual repositories cannot change the vault mode. See Organizations for details.
For programmatic secrets management, see REST API.