YardmasterYardmaster Docs

Set a secret

Secrets live in credentials, the same as AWX. Each is sealed at rest and never returned by the API. A run gets a credential's value only while it executes, in a temporary file or environment that is wiped afterward. If a tool prints a credential's value, Yardmaster redacts it from the run's log, live stream, and events, so the output shows *** instead of the secret.

Store a credential

  1. Open Credentials and add one.
  2. Pick the kind:
    • ssh_key: an SSH private key, to reach hosts and clone private git projects.
    • vault_password: an Ansible Vault password.
    • env: KEY=VALUE lines injected into the run, how cloud SDK tokens reach a tool.
    • token: a single API token or JWT, exposed to the run as the YARDMASTER_TOKEN environment variable.
    • become_password: a privilege escalation password, kept off the command line.
    • registry: a container registry login, to pull a pinned execution image.
  3. Paste the secret and save. Attach it to a project, a template, or a run.

Resolve it from an external store

You do not have to paste the secret at all. Set the credential's source to a command, and Yardmaster runs that command at launch and uses its standard output as the secret. That keeps the value in your existing store, fetched fresh each run:

vault kv get -field=token secret/ci

Any CLI works the same way, so a credential can pull from Vault, AWS Secrets Manager, GCP Secret Manager, or 1Password with no extra integration.

For Vault there is also a native source that needs no vault CLI on the runner: set the source to Vault and give it the address, path, and field as JSON. Yardmaster reads the secret over Vault's HTTP API at launch, handling both KV v2 and KV v1. The token comes from the config or the VAULT_TOKEN environment:

{"addr":"https://vault:8200","path":"secret/data/ci","field":"token"}

Google Secret Manager has a native source too: set the source to Google Secret Manager and give it the project, secret, and version as JSON. When Yardmaster runs on GCP it reads as its attached service account through the metadata server, so no key is stored; off GCP, put an access token in the config.

{"project":"my-project","secret":"ci-token","version":"latest"}

From the API

curl -s -X POST localhost:8080/credentials \
  -H 'content-type: application/json' \
  -d '{"name":"ci-token","kind":"env","source":"command","secret":"vault kv get -field=token secret/ci"}'

For a pasted value, omit source and put the value in secret. Imported credentials arrive without secrets, since exports never contain them; this is the one-time step to fill them in.

Scope a secret to an inventory

Attach a credential to a stored inventory and every run that targets that inventory receives it, so a fleet can carry its own secret variables in one place. Open Inventories, edit the inventory, and pick the credentials under Credentials. An env credential becomes that inventory's secret variables; a token credential its bearer token. You need use access on a credential to attach it.

Source an inventory's hosts

The host list itself can live in an external store, the same way a secret does. When you add or edit an inventory, pick a content source:

The form takes the address, path, and field for Vault, or the project and secret for Google Secret Manager, and assembles and seals the source configuration for you, so the host list stays in your existing store and is fetched fresh for every run. A command source keeps a generated inventory current without a dedicated dynamic source plugin:

./bin/hosts --env prod

Content sources need encryption, so set YARDMASTER_ENCRYPTION_KEY and a stable YARDMASTER_ENCRYPTION_SALT first. The sealed configuration is never returned by the API; when you edit an inventory, leave the source fields blank to keep the stored one.

From the API

curl -s -X POST localhost:8080/inventories \
  -H 'content-type: application/json' \
  -d '{"name":"prod-fleet","content_source":"command","content_config":"./bin/hosts --env prod"}'

For a Vault or Google Secret Manager source, send the same JSON configuration the matching credential source uses as content_config.