Injecting HashiCorp Vault Dynamic Secrets into a CircleCI Pipeline

Watch this live stream replay on how to use HashiCorp Vault's Google Cloud Secrets Engine in a CircleCI pipeline.


  • Rosemary Wang
    Rosemary WangDeveloper Advocate, HashiCorp
  • Angel Rivera
    Angel RiveraDeveloper Advocate, CircleCI

How do we use HashiCorp Vault's Google Cloud Secrets Engine to inject service account keys into a CircleCI pipeline? Watch this replay from the HashiCorp Live stream to learn how to securely inject dynamic secrets into your CircleCI pipeline. Rosemary Wang (Developer Advocate, HashiCorp) and Angel Rivera (Developer Advocate, CircleCI) teach each other about HashiCorp Vault and CircleCI while attempting to configure an example pipeline to use Vault to retrieve dynamically generated Google Cloud service account keys and authenticate to a Kubernetes cluster in Google Kubernetes Engine.

Subscribe to the HashiCorp Live Twitch channel to watch future live streams!


0:05 — Introduction & Recap of Injecting Static Secrets. See CircleCI Configuration Reference for pipeline configuration attributes.

33:08 — Introduction to Google Cloud Secrets Engine

37:50 — Using the Vault Provider for Terraform to Configure Vault

53:10 — Configuring Vault with Terraform Cloud

1:01:30 — Configuring CircleCI to Retrieve Google Cloud Service Account Keys from Vault

1:06:20 — Configuring Vault Agent Template to Output Service Account Keys

1:25:00 — Demo of Dynamic Service Account Creation in Google Cloud

1:53:10 — Fixing Vault Agent Template to Base-64 Decode Google Cloud Service Account Key

1:56:00 — Successful Authentication to Kubernetes cluster on Google Kubernetes Engine

More resources like this one