Comment on page
Cloud secrets
Earthly has the ability to use secure cloud-based storage for build secrets. This page goes through the basic setup and usage examples.
Cloud secrets can be used to share secrets between team members or across multiple computers and a CI systems.
This page covers the use of cloud-hosted secrets. It builds upon the understanding of build arguments and locally-supplied secrets.
In order to be able to use cloud secrets, you need to first register an Earthly Cloud account. Visit Earthly Cloud to sign up for free.
Then, you need create an Earthly project. To do that, you may use the web interface or the command...
earthly project create <project-name>
Access to secrets is controlled by the project they belong to. Anyone with at least
read+secrets
access level for the org or the specific project will be able to see and use the secrets in their builds. Anyone with write
access level will be able to create, modify and delete secrets. For more information on managing permissions see the Managing Permissions page.Each Earthly project has its own isolated secret store. Multiple code repositories may be associated with a single Earthly project. To view the secrets within a given project, you can run
earthly secret --project <project-name> ls
To set a secret value, use the
secret set
command:earthly secret --project <project-name> set my_key 'hello world'
To view a secret value, use the
secret get
command:earthly secret --project <project-name> ls
earthly secret --project <project-name> get my_key
If a secret key starts with
/user/
, then the secret is stored in a special location accessible only by the current user. These secrets can never be shared. This may be useful, in cases where builds require that each developer uses their own set of credentials to access certain resources during builds.When using the
/user/
prefix, the org name and project name are no longer required. These secrets may otherwise be accessed the same way.earthly secret ls /user
earthly secret set /user/my_private_key 'hello private world'
earthly secret ls /user
earthly secret get /user/my_private_key
When secrets need to be referenced in an Earthfile, you need to declare the project the secrets belong to at the top of the Earthfile, after the
VERSION
declaration.VERSION 0.7
PROJECT <org-name>/<project-name>
For example:
RUN --secret MY_KEY=my_key echo $MY_KEY
The env variable
MY_KEY
will be set with the value stored under the secret key my_key
.Or, to reference a user secret:
RUN --secret MY_KEY=/user/my_private_key echo $MY_KEY
Cloud secrets can also be used to log into container registries such as DockerHub, AWS ECR, or GCP Artifact Registry. Here is the command to use:
earthly registry --org <org-name> --project <project-name> \
setup --username <registry-user-name> --password-stdin \
<host>
This command stores the username and password within the cloud secrets store. Earthly picks these up automatically when pulling or pushing images. If the registry is DockerHub, then you can leave out the registry host argument.
You may additionally log into other registries, such as AWS ECR, or GCP Artifact Registry, by using the following:
# For AWS ECR
earthly registry --org <org-name> --project <project-name> setup --cred-helper ecr-login --aws-access-key-id <key> --aws-secret-access-key <secret> <host>
# For GCP Artifact Registry
earthly registry --org <org-name> --project <project-name> setup --cred-helper gcloud --gcp-service-account-key <key> <host>
The Earthly command uses HTTPS to communicate with the cloud secrets server. The server encrypts all secrets using OpenPGP's implementation of AES256 before storing it in a database. We use industry-standard security practices for managing our encryption keys in the cloud. For more information see our Security page.
The 0.6 version of Earthly cloud secrets is no longer supported. To help migrate to the new version, a migration command has been made available.
In the 0.6 version, the secrets were stored globally as part of an Earthly organization. In the new version, secrets are stored per project. To migrate, you need to first create a new project using
earthly
0.7+ (if you haven't already), and then run the migration command.You will first need to have read access to the source organization, and write access to the project you will be migrating to. The source organization can be the same as the destination one.
earthly project --org <org-name> create <project-name>
earthly secret --org <org-name> --project <project-name> migrate <source-org-name>
Once migration is complete, you can view the secrets in the new project using
earthly secret ls
.earthly secret --project <project-name> ls
To update your Earthfile to use the new secrets, you need to add the
PROJECT
declaration at the top of any Earthfile that needs secret access.VERSION 0.7
PROJECT <org-name>/<project-name>
Secret references then need to be changed from
RUN --secret <env-var>=+secrets/<org-name>/<secret-key>
to RUN --secret <env-var>=<secret-key>
. So the prefix +secrets/<org-name>/
needs to be removed. For user secrets, only the prefix +secrets
needs to be removed, such that the key of the secret contains the /user/
prefix.Please note that user secrets are not migrated by the
migrate
command. You will need to manually re-create them.