How to migrate secrets from my org other org

renato.souza.sambate · June 25, 2024, 11:55am

Today our org has several projects from different clients and we have started a new structure where we will deliver github projects and pipelines to clients and with this we will need to migrate aws account and all other tech.

My question is whether I can use circleCI to migrate specific secrets from my org to another org?

sebastian-lerner · June 27, 2024, 10:55am

There is no automated way to do this unfortunately

sebastian-lerner · June 27, 2024, 10:57am

You can use the API to automate the creation of new contexts which store those secrets in environment variables CircleCI API

wyardley · July 2, 2024, 12:41am

Yeah, you’d probably have to write a script to do this. Hopefully you’re using contexts as Sebastian mentioned; either way, it shouldn’t be crazy difficult – for example, you could do it with Python and GitHub - alpinweis/pycircleci: Python client for CircleCI API pretty easily, I think.

In a previous role, I wrote a tool that would rotate certain credentials, and sync them to Circle contexts at the same time. In a very general sense, if you have some basic facility in Python, you could do something like the following (note: this is untested and would obviously need some adjustment for your application):

import pycircleci.api
 
# Obviously, in your situation, you'll need two orgs and, potentially
# to instantiate two different "clients"
ORG_NAME="yourorg"
VCS_TYPE = "github"  # Or whatever you need

def main():
    # Define get_token() as a func that gets the token from your config and / or
    # an env var, or just use an env var directly there instead.
    client = pycircleci.api.Api(get_token())
    
    # See https://github.com/alpinweis/pycircleci/pull/27 and
    # https://discuss.circleci.com/t/circleci-api-follow-a-new-project/46410/7
    #
    # this will just get a list of repos in the current org; you could build some
    # kind of data structure that has your source / destination orgs / repos
    # instead.
    results = client.get_user_repos()
    repos = [
        result["name"]
        for result in results
        if result["username"] == ORG_NAME and result["has_followers"]
    ]
    for repo_name in repos:
        env_vars = client.list_envvars(username=ORG_NAME, project=repo_name)
        # Do some stuff to push the values to the corresponding repo's env vars
        # using add_envvar(), or, better, copy them to a context in the other org.
        #
        # example of code to write to a context by name:
        # contexts = client.get_contexts(username=ORG_NAME)
        # context_id = next(ctx["id"] for ctx in contexts if ctx["name"] == "wantedcontext")
        # client.add_context_envvar(context_id, key_name, value)

With regard to AWS (and other cloud platforms) specifically, if you are using static secrets like access tokens, I’d strongly recommend switching to OIDC auth at the same time (as described here), if you are not already doing so. Even if you are using static secret tokens, and can’t migrate to OIDC, it would probably be a good opportunity to rotate them when you migrate, if at all possible/

Topic		Replies	Views
Migrar secrets e outros dados da org Integrations and Accounts	0	124	June 24, 2024
Changing orgs and moving to EMU, but keeping the name Integrations and Accounts github	1	448	May 2, 2024
How to change our CircleCI to point to a new GitHub account Integrations and Accounts	3	2465	January 27, 2021
Migrate projects from One CircleCI to Another CircleCI Deployments circle-yml	1	950	February 27, 2023
[FAQ Compilation] Security Alert - Rotate any secrets stored in CircleCI Security	2	4303	January 5, 2023

How to migrate secrets from my org other org

Related topics