Skip to content

ci: migrate CI secrets from AWS SSM to Vault KV#1145

Merged
duncanista merged 3 commits intomainfrom
jordan.gonzalez/gitlab/secrets-from-kv
Apr 1, 2026
Merged

ci: migrate CI secrets from AWS SSM to Vault KV#1145
duncanista merged 3 commits intomainfrom
jordan.gonzalez/gitlab/secrets-from-kv

Conversation

@duncanista
Copy link
Copy Markdown
Contributor

@duncanista duncanista commented Mar 31, 2026

Summary

  • Migrate get_secrets.sh from aws ssm get-parameter to vault kv get, matching the pattern used by datadog-lambda-js
  • Remove DATADOG_API_SECRET_ARN from CI secrets — the ARN is a public resource identifier, not sensitive data
  • Hardcode the Secrets Manager ARN directly in integration-tests/lib/util.ts

Test plan

  • Verify CI pipeline can fetch secrets from Vault KV at kv/k8s/gitlab-runner/datadog-lambda-extension/secrets
  • Verify integration tests pass with the hardcoded secret ARN
  • Confirm DD_API_KEY, DD_APP_KEY, and external ID are correctly resolved

@duncanista
ci: migrate CI secrets from AWS SSM to Vault KV
2b40c2d 
Move secret retrieval in get_secrets.sh from aws ssm get-parameter to
vault kv get, aligning with the pattern used by datadog-lambda-js.
Remove DATADOG_API_SECRET_ARN from CI secrets (the ARN is not sensitive)
and hardcode it directly in the integration test utility.
Copilot AI review requested due to automatic review settings March 31, 2026 19:53
@duncanista duncanista requested a review from a team as a code owner March 31, 2026 19:53
@duncanista duncanista requested a review from lym953 March 31, 2026 19:53
@duncanista duncanista marked this pull request as draft March 31, 2026 19:53
@duncanista
Copy link
Copy Markdown
Contributor Author

duncanista commented Mar 31, 2026

Awaiting for kv vault permissions to hit so I can add secrets there

Copilot AI reviewed Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR migrates CI secrets management from AWS Systems Manager Parameter Store to HashiCorp Vault KV, aligning with the pattern used in the datadog-lambda-js project. The changes remove the retrieval of DATADOG_API_SECRET_ARN from AWS SSM and instead hardcode the Secrets Manager ARN directly in the integration tests utility file.

Changes:

  • Migrate get_secrets.sh from AWS SSM get-parameter commands to Vault KV get commands for fetching CI secrets
  • Remove the retrieval of DATADOG_API_SECRET_ARN environment variable from AWS SSM
  • Hardcode the Datadog API secret ARN in integration-tests/lib/util.ts

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
.gitlab/scripts/get_secrets.sh Migrate secret retrieval from AWS SSM to Vault KV, removing DATADOG_API_SECRET_ARN retrieval
integration-tests/lib/util.ts Hardcode the Secrets Manager ARN instead of reading from environment variable

Comment thread .gitlab/scripts/get_secrets.sh Outdated
@duncanista
ci: quote EXTERNAL_ID_NAME variable in vault kv get
4f3a5a2 
Prevent word splitting or special character issues by quoting the
variable expansion in the -field argument.
@duncanista duncanista marked this pull request as ready for review April 1, 2026 02:59
litianningdatadog
litianningdatadog reviewed Apr 1, 2026
View reviewed changes
Comment thread integration-tests/lib/util.ts
import {ACCOUNT, REGION} from "../config";

export const datadogSecretArn = process.env.DATADOG_API_SECRET_ARN!;
export const datadogSecretArn = 'arn:aws:secretsmanager:us-east-1:425362996713:secret:extension-integration-tests-api-key-PnEPHz';
Copy link
Copy Markdown
Contributor

@litianningdatadog litianningdatadog Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: We may need to document this for future maintenance.

Copy link
Copy Markdown
Contributor Author

@duncanista duncanista Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, this was an overkill, this wasn't designed with ideal secret manager handling, ideally we'd move this into creation on the project and then cleaning it up, but overall, having a secret in the project is still overkill

@duncanista duncanista merged commit d7d6815 into main Apr 1, 2026
51 checks passed
@duncanista duncanista deleted the jordan.gonzalez/gitlab/secrets-from-kv branch April 1, 2026 14:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@litianningdatadog litianningdatadog litianningdatadog approved these changes

@lym953 lym953 Awaiting requested review from lym953 lym953 is a code owner automatically assigned from DataDog/serverless-aws

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@duncanista @litianningdatadog