Skip to content

Pipelines - STACKIT Compatibility

Last updated on

STACKIT Secret Manager is compatible with the HashiCorp Vault API.
This compatibility allows you to retrieve secrets in STACKIT Git Pipelines using existing tools such as the hashicorp/vault-action GitHub Action.

By integrating the Secret Manager into your pipelines, you can securely access credentials, tokens, and configuration values during workflow running.

To retrieve secrets from STACKIT Secret Manager within a pipeline workflow, follow the steps below.

Before configuring the pipeline, obtain the following information from the STACKIT Portal:

  • Username and password
    Credentials used to authenticate against the Secret Manager API.

Screenshot of the STACKIT Portal showing the "Users" management view within the Secrets Manager. The left sidebar navigation highlights the selected "Users" section below "Overview". The main content area features a yellow "Create user" button at the top and displays a table listing multiple active users with their hidden names, descriptive labels like "Pipelines user", and assigned roles such as "Read and write" or "Read only".

  • API URL
    The endpoint used to access the STACKIT Secret Manager service.

  • Secret Manager UUID
    The unique identifier of your Secret Manager instance.

Screenshot of the STACKIT Portal interface showing instance details for a Secret Manager container. The upper card "General information" displays details such as the instance name "global-git-secrets", a green "Active" status, 3 users, 12 secrets, and a default version limit set to 0 (unlimited). The lower card is titled "Endpoints", with sensitive technical data like the instance UUID and URLs heavily redacted by solid black bars on both cards.

Secrets in STACKIT Secret Manager are accessed using the following path format:

[UUID]/data/[secret-name] [secret-key]
  • [UUID]
    The unique identifier of the Secret Manager instance.

  • [secret-name]
    The name of the secret container.

  • [secret-key]
    The specific key-value entry that should be retrieved.

Example:

33333333-3333-3333-3333-333333333333/data/stackit-git version

This retrieves the key version from the secret container stackit-git.

To access secrets during pipeline running, you can use the
HashiCorp Vault Action.

The following example demonstrates how to retrieve a secret in a pipeline workflow.

name: Import Secrets
on: [push]
jobs:
test:
runs-on: ubuntu-act
steps:
- uses: actions/checkout@v4
- name: Import Secrets
id: import-secrets
uses: hashicorp/vault-action@v2
with:
url: https://prod.sm.eu01.stackit.cloud
method: userpass
username: ${{ secrets.SECRET_MANAGER_USERNAME }}
password: ${{ secrets.SECRET_MANAGER_PASSWORD }}
secrets: |
33333333-3333-3333-3333-333333333333/data/stackit-git version
- name: Echo version
run: echo $VERSION
- name: Sensitive Operation
run: echo '${{ steps.import-secrets.outputs.version }}'

In this example:

  • The pipeline authenticates against the STACKIT Secret Manager
  • The specified secret is retrieved
  • The value is made available as a workflow output and environment variable

For more details about related services and tools, see: