feat(oidc): for using EC credentials

v1v · v1v · commit 7e15a135df30 · 2025-05-17T00:07:30.000+02:00
diff --git a/.buildkite/hooks/pre-command b/.buildkite/hooks/pre-command
@@ -33,7 +33,6 @@ export REPO_BUILD_TAG
 
 BUILDKITE_API_TOKEN_PATH=kv/ci-shared/platform-ingest/buildkite_token
 
-EC_TOKEN_PATH=kv/ci-shared/platform-ingest/platform-ingest-ec-qa
 EC_DATA_PATH=secret/ci/elastic-integrations/ec_data
 
 # variables required for terraform
@@ -117,10 +116,6 @@ if [[ "${BUILDKITE_PIPELINE_SLUG}" == "integrations-serverless" ]]; then
         BUILDKITE_API_TOKEN=$(retry 5 vault kv get -field buildkite_token "${BUILDKITE_API_TOKEN_PATH}")
         export BUILDKITE_API_TOKEN
 
-        EC_API_KEY_SECRET=$(retry 5 vault kv get -field apiKey "${EC_TOKEN_PATH}")
-        export EC_API_KEY_SECRET
-        EC_HOST_SECRET=$(retry 5 vault kv get -field url "${EC_TOKEN_PATH}")
-        export EC_HOST_SECRET
         EC_REGION_SECRET=$(retry 5 vault read -field region_qa "${EC_DATA_PATH}")
         export EC_REGION_SECRET
     fi
diff --git a/.buildkite/hooks/pre-exit b/.buildkite/hooks/pre-exit
@@ -28,7 +28,7 @@ if [[ "$BUILDKITE_PIPELINE_SLUG" == "integrations-serverless" ]]; then
         # Ensure elastic stack is stopped
         if [ -f "${ELASTIC_PACKAGE_BIN}" ]; then
             echo "--- Take down the Elastic stack"
-            EC_API_KEY=${EC_API_KEY_SECRET} EC_HOST=${EC_HOST_SECRET} ${ELASTIC_PACKAGE_BIN} stack down -v
+            ${ELASTIC_PACKAGE_BIN} stack down -v
         fi
     fi
 fi
diff --git a/.buildkite/pipeline.serverless.yml b/.buildkite/pipeline.serverless.yml
@@ -73,7 +73,16 @@ steps:
       - elastic/oblt-aws-auth#v0.1.0:
           duration: 10800 # seconds
       # See https://github.com/elastic/oblt-infra/blob/main/conf/resources/repos/integrations/01-gcp-buildkite-oidc.tf
-      # This plugin authenticates to Google Cloud using the OIDC token.
+      # This plugin authenticates to the default Google Cloud using the OIDC token to fetch
+      # the google secrets.
+      - elastic/oblt-google-auth#v1.3.0:
+          lifetime: 10800 # seconds
+      - avaly/gcp-secret-manager#v1.2.0:
+          env:
+            EC_API_KEY: elastic-cloud-observability-team-qa-api-key
+            EC_HOST: elastic-cloud-observability-team-qa-endpoint
+      # See https://github.com/elastic/oblt-infra/blob/main/conf/resources/repos/integrations/01-gcp-buildkite-oidc.tf
+      # This plugin authenticates to CI Google Cloud using the OIDC token.
       - elastic/oblt-google-auth#v1.3.0:
           lifetime: 10800 # seconds
           project-id: "elastic-observability-ci"
diff --git a/.buildkite/scripts/common.sh b/.buildkite/scripts/common.sh
@@ -540,9 +540,6 @@ prepare_serverless_stack() {
     fi
     create_elastic_package_profile "${profile_name}"
 
-    export EC_API_KEY=${EC_API_KEY_SECRET}
-    export EC_HOST=${EC_HOST_SECRET}
-
     echo "Boot up the Elastic stack"
     # grep command required to remove password from the output
     if ! ${ELASTIC_PACKAGE_BIN} stack up \
