Secrets
Orchestrator securely transfers secrets to remote build containers using each provider's native secrets system.
Kubernetes
Secrets are created as native Kubernetes Secret objects and mounted as environment variables in job containers.
AWS
Secrets are stored in AWS Secrets Manager and injected into Fargate tasks as environment variables.
🔐 Pulling Secrets from External Sources
You can pull parameter values from external secret managers or files at runtime instead of hardcoding credentials. This keeps CLI commands short and secrets out of your repository.
Orchestrator External Source
┌──────────────┐ command ┌──────────────────┐
│ Reads input │ ────────────────►│ Secret Manager │
│ override │ │ (GCP, AWS, file) │
│ list │ ◄────────────────│ │
│ │ value │ │
└──────────────┘ └──────────────────┘
Parameters
| Parameter | Default | Description |
|---|---|---|
readInputOverrideCommand | — | Command to run for each secret. Use {0} as a placeholder for the parameter name. |
readInputFromOverrideList | — | Comma-separated list of parameter names to pull via readInputOverrideCommand. |
populateOverride | — | Must be true to enable pulling secrets (CLI only). Auto-enabled in GitHub Actions when command set. |
Built-in Presets
Instead of writing a full command, use these presets as the readInputOverrideCommand:
| Preset | Expands to |
|---|---|
gcp-secret-manager | gcloud secrets versions access 1 --secret="{0}" |
aws-secret-manager | aws secretsmanager get-secret-value --secret-id {0} |
Example
yarn run cli -m cli-build \
--populateOverride true \
--readInputFromOverrideList UNITY_EMAIL,UNITY_SERIAL,UNITY_PASSWORD \
--readInputOverrideCommand='gcloud secrets versions access 1 --secret="{0}"'
This runs the GCP command for each parameter name in the list and uses the output as the value.