Skip to content

Credential management

Concourse supports integration with credential managers.

Your concourse instance was pre-configured to integrate with CredHub.

Configure the client

  • Install the credhub CLI.

  • Ask your instructor for your credhub environment file.

    Source the file.

    Once set, the environment variables supply the credhub CLI with the coordinates necessary for the CLI to communicate with the concourse credhub server.

  • Run a token credhub command, such as credhub find, to verify communication with the credhub server.

Draft a new pipeline

Make a copy of the file pipeline-vars.yml (from the previous exercise) to a new file, named pipeline-creds.yml.

Edit the pipeline as follows:

  1. delete the first job
  2. rename the remaining job to say-hi
  3. rename the greeting to message

Set the pipeline, giving it a name distinct from other pipelines created thus far.

Trigger the job.

The build will fail, stating that it could not interpolate the task due to an undefined variable named message.

Make the job pass

Re-run the job.

Assuming a properly set credhub entry, the Concourse job will successfully interpolate the variable and the job will pass.

Summary

Jobs often require credentials to function. Those credentials should never be directly entered in a pipeline yaml file. Using a variables file is better, but still insecure. Credential managers solve the security problem by storing credentials securely while allowing Concourse jobs to function, without divulging secrets.