Skip to main content

ResourcePlugin Step Specification


This document provides a reference for a ResourcePlugin step specification. A step specification describes a step of a ResourcePlugin phase workflow that executes a script.

Here is an example of a ResourcePlugin step:

name: gen-password
- name: stepInput
name: step1 # name of the step containing the output
output: dbsecret # name of the output from step1
env: DBSECRET # injected into step environment
- name: password
valueFromPath: /tmp/secret
description: "password to access the database"
script: |
#!/usr/bin/env bash
dd if=/dev/urandom count=1 > /tmp/secret


Name is required and must be unique amongst all steps in any resource plugin phase workflow (phases create, delete).


Inputs specifies data consumed by the step and how to make that data available to the container running the step.


Each input has a required name and that name must be unique amongst all inputs.


Each resource in a Sandbox can provide parameters to a resource plugin in the form of a map from strings to strings. An input to a step refering to these parameters should set valueFromSandbox to true and the name of the input should correspond to a key in the sandbox parameters map. Otherwise, valueFromSandbox should be false and valueFromStep should be specified.


valueFromStep specifies the output of another step to be consumed as input. It has 2 fields, name which is the name of the step producing an output to be consumed, and output, which is the name of the output within that step to consume as input.


name: step1
output: dbsecret


Each input has an as specification which tells how to present the data to the container running the step. Data may be presented as an environment variable, or placed in a file at location path, or both. env specifes the name of the environmental variable.


Outputs specifes data produced by the step for consumption by other steps or by sandboxed workloads in sandboxes


Each output has a name that must be unique amongst all names


Each output has an optional description which is a short string.


valueFromPath tells the Signadot Operator to take the output from a given path once the script has terminated. For example, we may have

script: |
echo a > /tmp/a
- name: a
valueFromPath: /tmp/a

The path should exist once the script successfully terminates.


The script field is a string containing a script to run. The script uses the traditional #!/path/to/interpreter unix shebang format, where /path/to/interpreter is fed input from the rest of the file.

There are no constraints on the interpreter other than that it must be recognized on the ResourcePlugin runner.

Following this pattern, the script may reference anything present on the runner, including secret mounts, environmental variables, tools such as helm, etc.

script is required and must start with #!. The maximum size of a script is 10240 bytes.