Migrate CI from aws ssm to Vault

ambushwork · ambushwork · commit c096dd5cbb84 · 2025-11-13T14:24:31.000+01:00
diff --git a/ci/pipelines/default-pipeline.yml b/ci/pipelines/default-pipeline.yml
@@ -4,6 +4,7 @@ include:
 # SETUP
 
 stages:
+  - fetch-secrets
   - ci-image
   - security
   - analysis
@@ -13,6 +14,10 @@ stages:
   - notify
 
 .snippets:
+  fetch-secrets:
+    - mkdir -p ./ci/pipelines/secrets
+    - ./ci/scripts/fetch-secrets.sh
+
   # macOS AMI will already have cmdline-tools installed
   install-android-api-components:
     - echo y | ~/android_sdk/cmdline-tools/latest/bin/sdkmanager --install "emulator"
@@ -39,15 +44,27 @@ stages:
     - if [[ "$exit_code" -ne 0 ]]; then exit 1; fi
     - exit 0
   set-publishing-credentials:
-    - aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.gradle-properties --with-decryption --query "Parameter.Value" --out text >> ./gradle.properties
-    - export GPG_PRIVATE_KEY=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.signing.gpg_private_key --with-decryption --query "Parameter.Value" --out text)
-    - export GPG_PASSWORD=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.signing.gpg_passphrase --with-decryption --query "Parameter.Value" --out text)
-    - export CENTRAL_PUBLISHER_USERNAME=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.publishing.central_username --with-decryption --query "Parameter.Value" --out text)
-    - export CENTRAL_PUBLISHER_PASSWORD=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.publishing.central_password --with-decryption --query "Parameter.Value" --out text)
-    - export GPG_PUBLIC_FINGERPRINT=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.signing.gpg_public_key --with-decryption --query "Parameter.Value" --out text | gpg --import --import-options show-only | grep -E -o -e "[A-F0-9]{40}")
+    - cp ./ci/pipelines/secrets/gradle.properties ./gradle.properties
+    - export GPG_PRIVATE_KEY=$(cat ./ci/pipelines/secrets/gpg_private_key)
+    - export GPG_PASSWORD=$(cat ./ci/pipelines/secrets/gpg_passphrase)
+    - export CENTRAL_PUBLISHER_USERNAME=$(cat ./ci/pipelines/secrets/central_username)
+    - export CENTRAL_PUBLISHER_PASSWORD=$(cat ./ci/pipelines/secrets/central_password)
+    - export GPG_PUBLIC_FINGERPRINT=$(cat ./ci/pipelines/secrets/gpg_public_key | gpg --import --import-options show-only | grep -E -o -e "[A-F0-9]{40}")
 
 # CI IMAGE
 
+fetch-secrets:
+  stage: fetch-secrets
+  tags: ["macos:sonoma","specific:true"]
+  image: $CI_IMAGE_DOCKER
+  script:
+    - !reference [.snippets, fetch-secrets]
+  artifacts:
+    paths:
+      - ./ci/pipelines/secrets/
+    expire_in: 1 hour
+    when: always
+
 ci-image:
   stage: ci-image
   when: manual
@@ -184,9 +201,9 @@ test:kover:
     - pip3 install datadog
     - rm -rf ~/.gradle/daemon/
     - export DD_AGENT_HOST="$BUILDENV_HOST_IP"
-    - export DD_API_KEY=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.api_key --with-decryption --query "Parameter.Value" --out text)
-    - export DD_APP_KEY=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.app_key --with-decryption --query "Parameter.Value" --out text)
-    - CODECOV_TOKEN=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.codecov-token  --with-decryption --query "Parameter.Value" --out text)
+    - export DD_API_KEY=$(cat ./ci/pipelines/secrets/api_key)
+    - export DD_APP_KEY=$(cat ./ci/pipelines/secrets/app_key)
+    - CODECOV_TOKEN=$(cat ./ci/pipelines/secrets/codecov_token)
     - GRADLE_OPTS="-Xmx3072m" DD_TAGS="test.configuration.variant:release" ./gradlew :dd-sdk-android-core:koverXmlReportRelease  --no-daemon --build-cache --gradle-user-home cache/ -Dorg.gradle.jvmargs=-javaagent:$DD_TRACER_FOLDER/dd-java-agent.jar=$DD_COMMON_AGENT_CONFIG
     - GRADLE_OPTS="-Xmx3072m" DD_TAGS="test.configuration.variant:release" ./gradlew :dd-sdk-android-internal:koverXmlReportRelease  --no-daemon --build-cache --gradle-user-home cache/ -Dorg.gradle.jvmargs=-javaagent:$DD_TRACER_FOLDER/dd-java-agent.jar=$DD_COMMON_AGENT_CONFIG
     - GRADLE_OPTS="-Xmx3072m" DD_TAGS="test.configuration.variant:release" ./gradlew :koverReportFeatures  --no-daemon --build-cache --gradle-user-home cache/ -Dorg.gradle.jvmargs=-javaagent:$DD_TRACER_FOLDER/dd-java-agent.jar=$DD_COMMON_AGENT_CONFIG
@@ -372,7 +389,7 @@ test-pyramid:detekt-api-coverage:
   timeout: 1h
   script:
     - mkdir -p ./config/
-    - aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.gradle-properties --with-decryption --query "Parameter.Value" --out text >> ./gradle.properties
+    - cp ./ci/pipelines/secrets/gradle.properties ./gradle.properties
     - GRADLE_OPTS="-Xmx4096M" ./gradlew assembleLibrariesDebug --stacktrace --no-daemon
     - GRADLE_OPTS="-Xmx4096M" ./gradlew printSdkDebugRuntimeClasspath --stacktrace --no-daemon
     - GRADLE_OPTS="-Xmx4096M" ./gradlew :tools:detekt:jar --stacktrace --no-daemon
@@ -390,13 +407,13 @@ test-pyramid:publish-e2e-synthetics:
     - develop
   script:
     - mkdir -p ./config/
-    - aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.gradle-properties --with-decryption --query "Parameter.Value" --out text >> ./gradle.properties
-    - aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.keystore --with-decryption --query "Parameter.Value" --out text | base64 -d > ./sample-android.keystore
-    - aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.e2e_config_json --with-decryption --query "Parameter.Value" --out text > ./config/us1.json
-    - export E2E_STORE_PASSWD=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.keystore-password --with-decryption --query "Parameter.Value" --out text)
-    - export E2E_DD_API_KEY=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.e2e_api_key --with-decryption --query "Parameter.Value" --out text)
-    - export E2E_DD_APP_KEY=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.e2e_app_key --with-decryption --query "Parameter.Value" --out text)
-    - export E2E_MOBILE_APP_ID=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.e2e_mobile_app_id --with-decryption --query "Parameter.Value" --out text)
+    - cp ./ci/pipelines/secrets/gradle.properties ./gradle.properties
+    - cp ./ci/pipelines/secrets/keystore ./sample-android.keystore
+    - cp ./ci/pipelines/secrets/e2e_config.json ./config/us1.json
+    - export E2E_STORE_PASSWD=$(cat ./ci/pipelines/secrets/keystore_password)
+    - export E2E_DD_API_KEY=$(cat ./ci/pipelines/secrets/e2e_api_key)
+    - export E2E_DD_APP_KEY=$(cat ./ci/pipelines/secrets/e2e_app_key)
+    - export E2E_MOBILE_APP_ID=$(cat ./ci/pipelines/secrets/e2e_mobile_app_id)
     - GRADLE_OPTS="-Xmx4096M" ./gradlew assembleLibrariesRelease --stacktrace --no-daemon
     - GRADLE_OPTS="-Xmx4096M" ./gradlew :sample:kotlin:packageUs1Release --stacktrace --no-daemon
     - npm update -g @datadog/datadog-ci
@@ -417,13 +434,13 @@ test-pyramid:publish-webview-synthetics:
     - develop
   script:
     - mkdir -p ./config/
-    - aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.gradle-properties --with-decryption --query "Parameter.Value" --out text >> ./gradle.properties
-    - aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.keystore --with-decryption --query "Parameter.Value" --out text | base64 -d > ./sample-android.keystore
-    - aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.webview_config_json --with-decryption --query "Parameter.Value" --out text > ./config/us1.json
-    - export E2E_STORE_PASSWD=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.keystore-password --with-decryption --query "Parameter.Value" --out text)
-    - export E2E_DD_API_KEY=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.webview_api_key --with-decryption --query "Parameter.Value" --out text)
-    - export E2E_DD_APP_KEY=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.webview_app_key --with-decryption --query "Parameter.Value" --out text)
-    - export E2E_MOBILE_APP_ID=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.webview_mobile_app_id --with-decryption --query "Parameter.Value" --out text)
+    - cp ./ci/pipelines/secrets/gradle.properties ./gradle.properties
+    - cp ./ci/pipelines/secrets/keystore ./sample-android.keystore
+    - cp ./ci/pipelines/secrets/webview_config.json ./config/us1.json
+    - export E2E_STORE_PASSWD=$(cat ./ci/pipelines/secrets/keystore_password)
+    - export E2E_DD_API_KEY=$(cat ./ci/pipelines/secrets/webview_api_key)
+    - export E2E_DD_APP_KEY=$(cat ./ci/pipelines/secrets/webview_app_key)
+    - export E2E_MOBILE_APP_ID=$(cat ./ci/pipelines/secrets/webview_mobile_app_id)
     - GRADLE_OPTS="-Xmx4096M" ./gradlew assembleLibrariesRelease --stacktrace --no-daemon
     - GRADLE_OPTS="-Xmx4096M" ./gradlew :sample:kotlin:packageUs1Release --stacktrace --no-daemon
     - npm update -g @datadog/datadog-ci
@@ -444,13 +461,13 @@ test-pyramid:publish-staging-synthetics:
     - develop
   script:
     - mkdir -p ./config/
-    - aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.gradle-properties --with-decryption --query "Parameter.Value" --out text >> ./gradle.properties
-    - aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.keystore --with-decryption --query "Parameter.Value" --out text | base64 -d > ./sample-android.keystore
-    - aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.e2e_staging_config_json --with-decryption --query "Parameter.Value" --out text > ./config/staging.json
-    - export E2E_STORE_PASSWD=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.keystore-password --with-decryption --query "Parameter.Value" --out text)
-    - export E2E_DD_API_KEY=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.e2e_staging_api_key --with-decryption --query "Parameter.Value" --out text)
-    - export E2E_DD_APP_KEY=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.e2e_staging_app_key --with-decryption --query "Parameter.Value" --out text)
-    - export E2E_MOBILE_APP_ID=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.e2e_staging_mobile_app_id --with-decryption --query "Parameter.Value" --out text)
+    - cp ./ci/pipelines/secrets/gradle.properties ./gradle.properties
+    - cp ./ci/pipelines/secrets/keystore ./sample-android.keystore
+    - cp ./ci/pipelines/secrets/e2e_staging_config.json ./config/staging.json
+    - export E2E_STORE_PASSWD=$(cat ./ci/pipelines/secrets/keystore_password)
+    - export E2E_DD_API_KEY=$(cat ./ci/pipelines/secrets/e2e_staging_api_key)
+    - export E2E_DD_APP_KEY=$(cat ./ci/pipelines/secrets/e2e_staging_app_key)
+    - export E2E_MOBILE_APP_ID=$(cat ./ci/pipelines/secrets/e2e_staging_app_id)
     - GRADLE_OPTS="-Xmx4096M" ./gradlew assembleLibrariesRelease --stacktrace --no-daemon
     - GRADLE_OPTS="-Xmx4096M" ./gradlew :sample:kotlin:packageStagingRelease --stacktrace --no-daemon
     - npm update -g @datadog/datadog-ci
@@ -471,13 +488,13 @@ test-pyramid:publish-benchmark-synthetics:
     - develop
   script:
     - mkdir -p ./config/
-    - aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.gradle-properties --with-decryption --query "Parameter.Value" --out text >> ./gradle.properties
-    - aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.keystore --with-decryption --query "Parameter.Value" --out text | base64 -d > ./sample-benchmark.keystore
-    - aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.benchmark_config_json --with-decryption --query "Parameter.Value" --out text > ./config/benchmark.json
-    - export BM_STORE_PASSWD=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.keystore-password --with-decryption --query "Parameter.Value" --out text)
-    - export BM_DD_API_KEY=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.benchmark_api_key --with-decryption --query "Parameter.Value" --out text)
-    - export BM_DD_APP_KEY=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.benchmark_app_key --with-decryption --query "Parameter.Value" --out text)
-    - export BM_MOBILE_APP_ID=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.benchmark_mobile_app_id --with-decryption --query "Parameter.Value" --out text)
+    - cp ./ci/pipelines/secrets/gradle.properties ./gradle.properties
+    - cp ./ci/pipelines/secrets/keystore ./sample-benchmark.keystore
+    - cp ./ci/pipelines/secrets/benchmark_config.json ./config/benchmark.json
+    - export BM_STORE_PASSWD=$(cat ./ci/pipelines/secrets/keystore_password)
+    - export BM_DD_API_KEY=$(cat ./ci/pipelines/secrets/benchmark_api_key)
+    - export BM_DD_APP_KEY=$(cat ./ci/pipelines/secrets/benchmark_app_key)
+    - export BM_MOBILE_APP_ID=$(cat ./ci/pipelines/secrets/benchmark_mobile_app_id)
     - GRADLE_OPTS="-Xmx4096M" ./gradlew assembleLibrariesRelease --stacktrace --no-daemon
     - GRADLE_OPTS="-Xmx4096M" ./gradlew :sample:benchmark:packageRelease --stacktrace --no-daemon
     - npm update -g @datadog/datadog-ci
diff --git a/ci/scripts/fetch-secrets.sh b/ci/scripts/fetch-secrets.sh
@@ -0,0 +1,44 @@
+#
+# Unless explicitly stated otherwise all files in this repository are licensed under the Apache License Version 2.0.
+# This product includes software developed at Datadog (https://www.datadoghq.com/).
+# Copyright 2016-Present Datadog, Inc.
+#
+
+source ./ci/scripts/vault_config.sh
+source ./ci/scripts/get-secret.sh
+
+# Gradle properties
+get_secret $DD_ANDROID_SECRET__GRADLE_PROPERTIES > ./ci/pipelines/secrets/gradle.properties
+# Signing and publishing
+get_secret $DD_ANDROID_SECRET__SIGNING_GPG_PRIVATE_KEY > ./ci/pipelines/secrets/gpg_private_key
+get_secret $DD_ANDROID_SECRET__SIGNING_GPG_PASSPHRASE > ./ci/pipelines/secrets/gpg_passphrase
+get_secret $DD_ANDROID_SECRET__SIGNING_GPG_PUBLIC_KEY > ./ci/pipelines/secrets/gpg_public_key
+get_secret $DD_ANDROID_SECRET__PUBLISHING_CENTRAL_USERNAME > ./ci/pipelines/secrets/central_username
+get_secret $DD_ANDROID_SECRET__PUBLISHING_CENTRAL_PWD > ./ci/pipelines/secrets/central_password
+    # API and App keys
+get_secret $DD_ANDROID_SECRET__API_KEY > ./ci/pipelines/secrets/api_key
+get_secret $DD_ANDROID_SECRET__APP_KEY > ./ci/pipelines/secrets/app_key
+get_secret $DD_ANDROID_SECRET__CODECOV_TOKEN > ./ci/pipelines/secrets/codecov_token
+# Keystore
+get_secret $DD_ANDROID_SECRET__KEYSTORE > ./ci/pipelines/secrets/keystore
+get_secret $DD_ANDROID_SECRET__KEYSTORE_PWD > ./ci/pipelines/secrets/keystore_password
+# E2E Testing
+get_secret $DD_ANDROID_SECRET__E2E_CONFIG_JSON > ./ci/pipelines/secrets/e2e_config.json
+get_secret $DD_ANDROID_SECRET__E2E_API_KEY > ./ci/pipelines/secrets/e2e_api_key
+get_secret $DD_ANDROID_SECRET__E2E_APP_KEY > ./ci/pipelines/secrets/e2e_app_key
+get_secret $DD_ANDROID_SECRET__E2E_MOBILE_APP_ID > ./ci/pipelines/secrets/e2e_mobile_app_id
+    # WebView
+get_secret $DD_ANDROID_SECRET__WEBVIEW_CONFIG_JSON > ./ci/pipelines/secrets/webview_config.json
+get_secret $DD_ANDROID_SECRET__WEBVIEW_API_KEY > ./ci/pipelines/secrets/webview_api_key
+get_secret $DD_ANDROID_SECRET__WEBVIEW_APP_KEY > ./ci/pipelines/secrets/webview_app_key
+get_secret $DD_ANDROID_SECRET__WEBVIEW_MOBILE_APP_ID > ./ci/pipelines/secrets/webview_mobile_app_id
+    # Staging
+get_secret $DD_ANDROID_SECRET__E2E_STAGING_CONFIG_JSON > ./ci/pipelines/secrets/e2e_staging_config.json
+get_secret $DD_ANDROID_SECRET__E2E_STAGING_API_KEY > ./ci/pipelines/secrets/e2e_staging_api_key
+get_secret $DD_ANDROID_SECRET__E2E_STAGING_APP_KEY > ./ci/pipelines/secrets/e2e_staging_app_key
+get_secret $DD_ANDROID_SECRET__E2E_STAGING_APP_ID > ./ci/pipelines/secrets/e2e_staging_app_id
+    # Benchmark
+get_secret $DD_ANDROID_SECRET__BENCHMARK_CONFIG_JSON > ./ci/pipelines/secrets/benchmark_config.json
+get_secret $DD_ANDROID_SECRET__BENCHMARK_API_KEY > ./ci/pipelines/secrets/benchmark_api_key
+get_secret $DD_ANDROID_SECRET__BENCHMARK_APP_KEY > ./ci/pipelines/secrets/benchmark_app_key
+get_secret $DD_ANDROID_SECRET__BENCHMARK_MOBILE_APP_ID > ./ci/pipelines/secrets/benchmark_mobile_app_id
diff --git a/ci/scripts/get-secret.sh b/ci/scripts/get-secret.sh
@@ -16,14 +16,20 @@ source ./ci/scripts/list-secrets.sh
 # - For <secret_name> use constants defined in './ci/scripts/vault_config.sh'
 # - Requires `vault` to be installed
 get_secret() {
-    local secret_name=$SECRET_NAME
+    local secret_name=$1
 
     export VAULT_ADDR=$DD_VAULT_ADDR
-    if vault token lookup &>/dev/null; then
-        echo "Reading '$secret_name' secret in local env. You are already authenticated with 'vault'." >&2
+
+    if [ "$CI" = "true" ]; then
+        echo "Login as CI"
+        vault login -method=aws -no-print
     else
-        echo "Reading '$secret_name' secret in local env. You will now be authenticated with OIDC in your web browser." >&2
-        vault login -method=oidc -no-print
+        if vault token lookup &>/dev/null; then
+            echo "Reading '$secret_name' secret in local env. You are already authenticated with 'vault'." >&2
+        else
+            echo "Reading '$secret_name' secret in local env. You will now be authenticated with OIDC in your web browser." >&2
+            vault login -method=oidc -no-print
+        fi
     fi
 
     local secret_value=$(vault kv get -field=value "$DD_ANDROID_SECRETS_PATH_PREFIX/$secret_name")
@@ -33,9 +39,12 @@ get_secret() {
         exit 1
     fi
 
-    echo $secret_value
+    echo "$secret_value"
 }
 
-list_secrets
-select_secret
-get_secret "$@"
+# Only run the main logic if the script is executed directly (not sourced)
+if [ "$CI" != "true" ]; then
+    list_secrets
+    select_secret
+    get_secret "$SECRET_NAME"
+fi
diff --git a/ci/scripts/vault_config.sh b/ci/scripts/vault_config.sh
@@ -38,6 +38,7 @@ DD_ANDROID_SECRET__BENCHMARK_API_KEY="benchmark_api_key"
 DD_ANDROID_SECRET__BENCHMARK_APP_KEY="benchmark_app_key"
 DD_ANDROID_SECRET__BENCHMARK_MOBILE_APP_ID="benchmark_mobile_app_id"
 
+if [ "$CI" != "true" ]; then
 idx=0
 declare -A DD_ANDROID_SECRETS
 DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__TEST_SECRET | Test secret to verify functionality. Can be changed but not deleted."
@@ -68,3 +69,4 @@ DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__BENCHMARK_CONFIG_JSON | conf
 DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__BENCHMARK_API_KEY | API key for uploading a benchmark APK to the Mobile Integration org (529432, https://mobile-integration.datadoghq.com/)."
 DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__BENCHMARK_APP_KEY | App key for uploading a benchmark APK to the Mobile Integration org (529432, https://mobile-integration.datadoghq.com/)."
 DD_ANDROID_SECRETS[$((idx++))]="$DD_ANDROID_SECRET__BENCHMARK_MOBILE_APP_ID | Application ID for uploading a benchmark APK to the Mobile Integration org (529432, https://mobile-integration.datadoghq.com/)."
+fi
