Package com.datapipe.jenkins.vault

Class VaultStep

java.lang.Object
hudson.model.AbstractDescribableImpl<org.jenkinsci.plugins.workflow.steps.Step>
org.jenkinsci.plugins.workflow.steps.Step
com.datapipe.jenkins.vault.VaultStep
All Implemented Interfaces:
ExtensionPoint, Describable<org.jenkinsci.plugins.workflow.steps.Step>
public class VaultStep extends org.jenkinsci.plugins.workflow.steps.Step
Pipeline step that fetches a single value from a Vault KV secret and returns it as a String. Designed for use inside Declarative Pipeline environment {} blocks.

The field to read can be given two ways:

  • explicitly via the key parameter (in which case path is used verbatim), or
  • folded into path, where the last segment after the final / is the field key and everything before it is the secret path. This applies only when key is absent.
 environment {
     // explicit key (drop-in compatible with the hashicorp-vault-pipeline-plugin `vault` step)
     DB_USER = vault path: 'secret/myapp/db', key: 'username', engineVersion: '2'

     // key folded into path
     DB_HOST = vault(path: 'secret/myapp/db/host', credentialsId: 'vault-approle')
     DB_PASS = vault(path: 'secret/myapp/db/password', credentialsId: 'vault-approle',
                   vaultUrl: 'https://vault:8200', vaultNamespace: 'prod')
 }

Breaking change: this step is registered under the function name vault. It supersedes the vaultCredentials step name shipped in release 381.v4277b_9fa_a_380 (#367); that name is no longer registered. Pipelines that adopted vaultCredentials(...) must switch to vault(...). Aligning on the vault name is what makes migrating off the abandoned hashicorp-vault-pipeline-plugin a drop-in (see #369).

When credentialsId is omitted the global Vault configuration's credential is used.

When maskSecret is true (the default), the resolved value is registered with VaultMaskedValuesFilter so it is automatically redacted from subsequent console output.

  • Constructor Details

    • VaultStep

      @DataBoundConstructor public VaultStep(@NonNull String path)

  • Method Details

    • setKey

      @DataBoundSetter public void setKey(@CheckForNull String key)

    • setCredentialsId

      @DataBoundSetter public void setCredentialsId(@CheckForNull String credentialsId)

    • setVaultUrl

      @DataBoundSetter public void setVaultUrl(@CheckForNull String vaultUrl)

    • setVaultNamespace

      @DataBoundSetter public void setVaultNamespace(@CheckForNull String vaultNamespace)

    • setEngineVersion

      @DataBoundSetter public void setEngineVersion(@CheckForNull String engineVersion)
      Per-call KV engine version override. Declared as a String (e.g. '1' or '2') to match the old vault path: '...', engineVersion: '2' syntax exactly, so existing pipelines bind as-is. Quote the value, as the old step required.

    • setMaskSecret

      @DataBoundSetter public void setMaskSecret(boolean maskSecret)

    • getPath

      public String getPath()

    • getKey

      @CheckForNull public String getKey()

    • getCredentialsId

      @CheckForNull public String getCredentialsId()

    • getVaultUrl

      @CheckForNull public String getVaultUrl()

    • getVaultNamespace

      @CheckForNull public String getVaultNamespace()

    • getEngineVersion

      @CheckForNull public String getEngineVersion()

    • isMaskSecret

      public boolean isMaskSecret()

    • start

      public org.jenkinsci.plugins.workflow.steps.StepExecution start(org.jenkinsci.plugins.workflow.steps.StepContext context) throws Exception
      Specified by:
      start in class org.jenkinsci.plugins.workflow.steps.Step
      Throws:
      Exception

    • fetchValue

      protected String fetchValue(String path, String key, Run<?,?> run, TaskListener listener)