Examples

Dummy Vars

Here's a copy-pasteable example using the Dummy ((var)) source, just to demonstrate named ((var)) syntax:

var_sources:
- name: dumb
  type: dummy
  config:
    vars:
      simple: hello!
      user:
        username: big
        password: sekrit

jobs:
- name: print-creds
  plan:
  - task: print
    config:
      platform: linux

      image_resource:
        type: registry-image
        source: {repository: ubuntu}

      run:
        path: bash
        args:
        - -c
        - |
          echo simple: ((dumb:simple))
          echo username: ((dumb:user.username))
          echo password: ((dumb:user.password))

The print-creds job above will print the following:

simple: hello!
username: big
password: sekrit

With credential redaction enabled, the output above will actually print the following:

simple: ((redacted))
username: ((redacted))
password: ((redacted))

The dummy var source type is, well, pretty dumb. It just provides whatever vars you tell it to. It primarily exists for testing purposes, and is useful as a stand-in in place of a real credential manager where you can at least have the credentials redacted from build output.

In production, you'll probably want to use something like vault instead.

1.4.3 Fetching ((vars)) at Runtime

Concourse can read values from "var sources" - typically credential managers like Vault - at runtime. This keeps them out of your configuration and prevents them from being stored in your database. Values will be read from the credential manager and optionally cached.

The following configurations can be parameterized through a ((var)) source:

Concourse will fetch values for ((vars)) as late as possible - i.e. when a step using them is about to execute. This allows the credentials to have limited lifetime and tight rotation policies.

The Cluster-wide Credential Manager

Concourse can be configured with a single cluster-wide credential manager, which acts as a source for any ((vars)) which do not specify a source name.

See Credential Management for more information.

((var)) Sources

var_sources was introduced in Concourse v5.8.0. It is considered an experimental feature until its associated RFC is resolved.

((var)) sources are the successor to the cluster-wide credential manager.

Instead of a singleton, many sources can be configured, each with a name. This name is used to explicitly reference the source for vars, e.g. ((my-vault:test-user.username)). See ((var)) syntax for a detailed explanation of this syntax.

Currently, ((var)) sources can only be configured at the pipeline-level, through var_sources. Soon we will introduce cluster-wide ((var)) sources and begin deprecating the cluster-wide credential manager.

Each ((var)) source has the following configuration:

name: string

Required. The name of the ((var)) source. This should be short and simple. This name will be referenced ((vars)) throughout the config.

type: string

Required. The type of the ((var)) source. This corresponds to one of the supported credential managers.

Currently, only two types are supported: vault and dummy. This will expand in the future to include all supported credential managers.

config: object

Required. The configuration for the ((var)) source.

Arbitrary configuration for the ((var)) source. The schema of this value is entirely dependent on the type. Each supported ((var)) source type, and their config schema, are documented below.

As the configuration for a ((var)) source is entirely dependent on its type, each supported type documents its own schema below:

  1. 1.4.3.2.1 The Vault ((var)) source
  2. 1.4.3.2.2 The Dummy ((var)) source