Encrypting your Concourse deployment is a good first step to securing your CI/CD tools. For even greater security, VMware recommends that you use a credential manager as well.
Explicit credential management provides temporary credentials to your Concourse builds. These credentials are not stored anywhere. Credential management also allows for credentials to be rotated and managed from outside the pipeline or team, and prevents them from being revealed by the get-pipeline
command. For more information about get-pipeline
, see the Concourse documentation.
Credential management works by replacing the credentials with parameters in your pipeline or task config files. For more information, see the Concourse documentation. When the ATC is about to run the step or check that is configured with the parameters, it resolves them by fetching the values from the credential manager. This ensures that credentials are not transmitted over insecure channels, or stored in build history.
Concourse supports CredHub and Vault for external credential management. For the full list of supported external credential managers, see the Concourse documentation.
You can use a credential manager to control the following resources:
Where these values are looked up and how the credential manager is configured depends on whether you use CredHub or Vault. See Use CredHub or Use Vault below.
This section describes using CredHub for credential management in Concourse. For general information, see the CredHub repository.
The web node is statically configured with a CredHub server URL with TLS and client config.
To configure CredHub, provide the credhub
properties to your web node. For information about this process, see credhub in the BOSH documentation. For additional information, see The CredHub credential manager in the Concourse documentation.
When resolving a parameter such as ((foo-param))
, it looks in the following paths, in order:
/concourse/TEAM-NAME/PIPELINE-NAME/FOO-PARAM
/concourse/TEAM-NAME/FOO-PARAM
The leading /concourse
can be changed by specifying --credhub-path-prefix
.
CredHub credentials have different types, which can contain multiple values. For example, the user
type specifies both username
and password
. You can specify the field to grab through .
syntax, such as ((foo-param.username))
.
If the web node is interpolating a variable to schedule some work that is scoped to a pipeline, it first looks in the path of that pipeline. If it is not found there, it looks in the team path. This allows credentials to be scoped widely if they are common across many pipelines.
If the web node is interpolating a variable to run a one-off build, it only looks in the path for the team that the user is currently logged in to.
This section describes using HashiCorp Vault for credential management in Concourse. For general information, see the Vault homepage.
The web node is statically configured with a Vault server URL (plus any TLS config) and either a client token or an authentication backend.
To configure Vault, provide the vault
properties to your web node. For information about this process, see vault in the BOSH documentation. For additional information, see The Vault credential manager in the Concourse documentation.
When resolving a parameter such as ((YOUR-PARAM)), the web node looks in the following paths:
/concourse/TEAM-NAME/PIPELINE-NAME/YOUR-PARAM
/concourse/TEAM-NAME/YOUR-PARAM
The leading /concourse
can be changed by specifying --vault-path-prefix
.
If the web node is interpolating a variable to schedule some work that is scoped to a pipeline, it first looks in the path of that pipeline. If it is not found there, it looks in the team path. This allows credentials to be scoped widely if they are common across many pipelines.
If the web node is interpolating a variable to run a one-off build, it only looks in the path for the team that the user is currently logged in to.