How to use secrets

Drone provides the ability to store sensitive information such as passwords, tokens and keys in a central store so that you don’t need to include them in your Yaml file. This section of the documentation provides usage information for the secret subcommand.

Remove sensitive parameters from the Yaml file:

pipeline:
  publish:
    image: plugin/docker
-   username: octocat
-   password: pa55word
    foo: Bar

Instead persist sensitive parameters to the secret store:

drone secret add \
  --image=plugins/docker \
  octocat/hello-world DOCKER_USERNAME octocat
drone secret add \
  --image=plugins/docker \
  octocat/hello-world DOCKER_PASSWORD pa55word

Secrets are provided to your container at runtime using the equivalent docker flags:

docker run \
+ -e DOCKER_USERNAME=octocat  \
+ -e DOCKER_PASSWORD=pa55word \
  plugins/docker

Signature

Drone does not expose secrets to your build unless the Yaml file is signed and verified. You can sign the Yaml using the command line utility and committing the .drone.yml.sig file to your repository.

drone sign octocat/hello-world

Examples

Example command loads a secret from a file:

$ drone secrets add \
  --image=plugins/docker \
- octocat/hello-world DOCKER_PASSWORD ${cat /path/to/token.json}
+ octocat/hello-world DOCKER_PASSWORD @/path/to/token.json

Example command matches images with tags:

$ drone secrets add \
- --image=plugins/docker \
+ --image=plugins/docker:latest \
  octocat/hello-world DOCKER_USERNAME octocat

Example command matches images with or without tags:

$ drone secrets add \
  --image=plugins/docker \
+ --image=plugins/docker:* \
  octocat/hello-world DOCKER_USERNAME octocat

Example command enables use of credentials for pull requests:

$ drone secrets add \
  --image=plugins/docker \
+ --event=pull_request \
  octocat/hello-world DOCKER_USERNAME octocat

Example command to skip yaml signature verification:

$ drone secrets add \
  --image=plugins/docker \
+ --skip-verify=true \
  octocat/hello-world DOCKER_USERNAME octocat

Need Help?

Please use StackOverflow or Google Groups for all technical support questions.

Live Discussion

Please use our Gitter channel to talk with community members and project maintainers.