Reputation: 4886
How to encrypt your Travis keys
The Travis docs say that the easiest way to encrypt keys eg. To upload to S3, is to use their command line tool.
Are there other ways to do this that doesn't involve installing Ruby etc just to use their command line tool?
Upvotes: 5
Views: 1264
Answers (1)
Reputation: 4886
There happens to be a Javascript method, and it's available here with the corresponding github repo here.
To use encrypted S3 keys is moderately confusing because the principles are not well explained in the Travis docs.
In the top left field of the form mentioned above you enter your Travis-CI userid/repo-name so this allows the script to pull down the public key for your repository that has been created by Travis.
In the right top field, you enter:
AWS_ACCESS_KEY_ID:...the..access..string..from..Amazon.IAM...
Click on Encrypt and copy the string generated below Encrypted Data
Then in the right top field, you enter:
AWS_SECRET_ACCESS_KEY:...the.very.secret.string.from.Amazon.IAM...
and again copy the encrypted string. Note that the encrypted strings change each time due to random data being included into the encrypted strings.
These encrypted key pairs are decrypted by Travis and exported as environment variables. You enter them in the .travis.yml file like this:
global:
# travis encrypt AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
- secure: "--first-very--long-encrypted-string--="
# travis encrypt AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
- secure: "--second--very-long-encrypted-string--="
- AWS_S3_BUCKET_NAME: yourbucketname
Now in the deploy section, you reference them by using the names you used for the encryption pair
deploy:
provider: s3
# these are set up in the global env
access_key_id: $AWS_ACCESS_KEY_ID
secret_access_key: $AWS_SECRET_ACCESS_KEY
bucket: $AWS_S3_BUCKET_NAME
skip_cleanup: true
upload-dir: travis-builds
If you had used the name ACCESS_ID in global env when you encrypted it, then in deploy you would refer to it as $ACCESS_ID
The upload-dir is created in the named bucket.
When your build runs in Travis, the decrypted keys are not exposed. Instead what you see is:
See https://docs.travis-ci.com/user/workers/container-based-infrastructure/ for details.
Setting environment variables from .travis.yml
$ export AWS_ACCESS_KEY_ID=[secure]
$ export AWS_SECRET_ACCESS_KEY=[secure]
$ export AWS_S3_BUCKET_NAME=yourbucketname
Upvotes: 6
Related Questions
- How I can decrypt secure env variables in Travis CI?
- travis-ci encrypt command is asking for login --pro
- What do I need for Travis-CI to decrypt secure variables on my fork?
- How to encrypt auth key in github and integrate with Travis CI?
- How do I use travis encrypt to encrypt browserstack key?
- How to encrypt API keys for Travis CI configuration with bash cli (without ruby)?
- Store secrets in Travis, not in github repo
- How do I encrypt a build step?
- Encrypting keys for deploy section in Travis CI
- Error fetching public key while encrypting environment variable for Travis CI