GitLab Sync
Learn how to configure a GitLab Sync for Hanzo KMS.
Prerequisites:
- Set up and add secrets to Hanzo KMS Cloud
- Create a GitLab Connection
- Ensure your network security policies allow incoming requests from Hanzo KMS to this secret sync provider, if network restrictions apply.
-
Navigate to Project > Integrations and select the Secret Syncs tab. Click on the Add Sync button.
-
Select the GitLab option.
-
Configure the Source from where secrets should be retrieved, then click Next.
- Environment: The project environment to retrieve secrets from.
- Secret Path: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out secret imports.
-
Configure the Destination to where secrets should be deployed, then click Next.
- GitLab Connection: The GitLab Connection to authenticate with.
- Scope: The GitLab scope to sync secrets to.
- Project: Sync secrets to a GitLab project.
- Group: Sync secrets to a GitLab group.
The remaining fields are determined by the selected Scope:
- GitLab Project: The project to deploy secrets to.
- GitLab Environment Scope: The environment scope to deploy secrets to (optional, defaults to "*" for all environments).
- Mark secrets as Protected: If enabled, synced secrets will be marked as protected in GitLab.
- Mark secrets as Masked: If enabled, synced secrets will be masked in GitLab CI/CD logs.
- Mark secrets as Hidden: If enabled, synced secrets will be hidden from the GitLab UI.
- GitLab Group: The group to deploy secrets to.
- GitLab Environment Scope: The environment scope to deploy secrets to (optional, defaults to "*" for all environments).
- Mark secrets as Protected: If enabled, synced secrets will be marked as protected in GitLab.
- Mark secrets as Masked: If enabled, synced secrets will be masked in GitLab CI/CD logs.
- Mark secrets as Hidden: If enabled, synced secrets will be hidden from the GitLab UI.
Be aware that GitLab only allows to mark secrets as hidden for new secrets. If you try to mark an existing secret as hidden, it produces an error.
If you enable Mark secrets as Hidden, Hanzo KMS will not be able to unhide/unmask secrets from the sync destination if you disable the option later. This is because GitLab does not allow to unhide/unmask existing secrets.
-
Configure the Sync Options to specify how secrets should be synced, then click Next.
- Initial Sync Behavior: Determines how Hanzo KMS should resolve the initial sync.
- Overwrite Destination Secrets: Removes any secrets at the destination endpoint not present in Hanzo KMS.
GitLab does not support importing secrets.
- Key Schema: Template that determines how secret names are transformed when syncing, using
{{secretKey}}as a placeholder for the original secret name and{{environment}}for the environment.
We highly recommend using a Key Schema to ensure that Hanzo KMS only manages the specific keys you intend, keeping everything else untouched.
- Auto-Sync Enabled: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
- Disable Secret Deletion: If enabled, Hanzo KMS will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Hanzo KMS.
- Initial Sync Behavior: Determines how Hanzo KMS should resolve the initial sync.
-
Configure the Details of your GitLab Sync, then click Next.
- Name: The name of your sync. Must be slug-friendly.
- Description: An optional description for your sync.
-
Review your GitLab Sync configuration, then click Create Sync.
-
If enabled, your GitLab Sync will begin syncing your secrets to the destination endpoint.
To create a GitLab Sync, make an API request to the Create GitLab Sync API endpoint.
Sample request
curl --request POST \
--url https://app.kms.hanzo.ai/api/v1/secret-syncs/gitlab \
--header 'Content-Type: application/json' \
--data '{
"name": "my-gitlab-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/my-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"destinationConfig": {
"scope": "project",
"projectId": "70998370",
"projectName": "test",
"targetEnvironment": "*",
"shouldProtectSecrets": true,
"shouldMaskSecrets": true,
"shouldHideSecrets": false
}
}'Sample response
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-gitlab-sync",
"description": "an example sync",
"isEnabled": true,
"version": 1,
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2023-11-07T05:31:56Z",
"importStatus": null,
"lastImportJobId": null,
"lastImportMessage": null,
"lastImportedAt": null,
"removeStatus": null,
"lastRemoveJobId": null,
"lastRemoveMessage": null,
"lastRemovedAt": null,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connection": {
"app": "gitlab",
"name": "my-gitlab-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/my-secrets"
},
"destination": "gitlab",
"destinationConfig": {
"scope": "project",
"projectId": "70998370",
"projectName": "test",
"targetEnvironment": "*",
"shouldProtectSecrets": true,
"shouldMaskSecrets": true,
"shouldHideSecrets": false
}
}
}How is this guide?
Last updated on