reconfigure-pipeline is a command-line tool that streamlines the process of pulling credentials from LastPass into a Concourse pipeline. It uses the LastPass CLI to read credentials from LastPass, writes these credentials to a named pipe, and calls fly with the named pipe as an argument, ensuring credentials are never written to disk.
The Github incident in October 2016 that allowed cloning private repos belonging to other users demonstrated the dangers of keeping credentials in git repositories. For this reason, many teams created tooling, usually in the form of shell scripts, that pulls credentials from LastPass using the LastPass CLI and feeds them into fly or BOSH.
Some of these tools work by storing the entire pipeline, or every credential in a pipeline, in one or a few notes in LastPass. Not only does this lead to unnecessary overhead in maintaining these complex YAML documents using an editor that wasn't built for this purpose, but it also discourages good credential hygiene.
reconfigure-pipeline was built to avoid duplication of work while ensuring the security of credentials. It encourages using the appropriate types in LastPass, while preserving backwards compatibility with tooling that is in use today.
To use reconfigure-pipeline, you need to have the LastPass CLI and fly installed on your system and in your PATH
.
The latest binary release for macOS and Linux can be found here.
go get -u github.com/pivotal-cf/reconfigure-pipeline
reconfigure-pipeline --target my-target --pipeline my-pipeline --config my-pipeline.yml
Where my-target
is the name of a fly target and my-pipeline
is the name of the pipeline you wish to reconfigure.
reconfigure-pipeline uses the same syntax as the new BOSH CLI for credential interpolation, with a few LastPass-specific extensions.
Basic syntax in a pipeline looks like:
key: ((credential-name/field/inner-key))
Where credential-name
is the name of a credential in LastPass, field
is a valid LastPass field name (see below), and inner-key
is an optional hash key that denotes the value stored in LastPass should be parsed as a YAML document, most commonly used with the Notes field.
LastPass items have a variety of different fields, depending on the item type. Some of the most commonly used fields are:
- Username
- Password
- URL
- Notes
- Hostname
- Port
- Public Key
- Private Key
- Passphrase
You can see what fields are available on a particular item by running lpass show item-name
---
resources:
- name: web-app
type: git
source:
uri: [email protected]/pivotal-cf/web-app.git
- name: web-app-staging
type: cf
source:
api: ((web-app-staging/URL))
username: ((web-app-staging/Username))
password: ((web-app-staging/Password))
organization: some-org
space: some-space
jobs:
- name: job-deploy-app
plan:
- get: web-app
- put: web-app-staging
params:
manifest: web-app/manifest.yml
environment_variables:
PRIVATE_KEY: ((web-app-staging-private-key/Notes))
SERVICE_URL: ((web-app-staging/Notes/service-url))
SERVICE_TOKEN: ((web-app-staging/Notes/service-token))
Where the credentials in LastPass look like: