From c1c773a7ee5f6c8b29ac49f934186572d08073ed Mon Sep 17 00:00:00 2001
From: Francisco Ramon <francisco.ramon@elastic.co>
Date: Tue, 28 Oct 2025 13:54:49 +0100
Subject: [PATCH] Reduce the scope of the legacy gcp secrets (#10734)

* Reduce the scope of the legacy secrets usage only for integration-test-matrix

* Fix pipeline slug

* Add google oidc plugin in integration tests ech step

* Remove gcp auth plugin usage and fix pre exit command

* Fix typo

* Preserve ESS Credentials logic

* Use parameter expansion instead of adding more logic to reduce the complexity

(cherry picked from commit 41dd43d1e2cfc1bd3949e0d26e12bda390e60a9f)
---
 .buildkite/hooks/pre-command | 4 +++-
 .buildkite/hooks/pre-exit    | 4 ++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/.buildkite/hooks/pre-command b/.buildkite/hooks/pre-command
index f11f9f6b2cc..e838dfaf74c 100755
--- a/.buildkite/hooks/pre-command
+++ b/.buildkite/hooks/pre-command
@@ -34,14 +34,16 @@ if [[ "$BUILDKITE_PIPELINE_SLUG" == "elastic-agent-package" ]]; then
   fi
 fi
 
-if [[ "$BUILDKITE_STEP_KEY" == *"integration-tests"* ]]; then
+if [[ "$BUILDKITE_PIPELINE_SLUG" == "buildkite-elastic-agent-integration-matrix" ]]; then
   echo "Setting credentials"
   # Set GCP credentials
   export GOOGLE_APPLICATION_GCP_SECRET=$(retry 5 vault kv get -format=json -field=data ${CI_GCP_OBS_PATH})
   echo "${GOOGLE_APPLICATION_GCP_SECRET}" > ./gcp.json
   export GOOGLE_APPLICATION_CREDENTIALS=$(realpath ./gcp.json)
   export TEST_INTEG_AUTH_GCP_SERVICE_TOKEN_FILE=$(realpath ./gcp.json)
+fi
 
+if [[ "$BUILDKITE_STEP_KEY" == *"integration-tests"* ]]; then
   # ESS credentials
   export API_KEY_TOKEN=$(vault kv get -field apiKey ${CI_ESS_PATH})
   echo ${API_KEY_TOKEN} > ./apiKey
diff --git a/.buildkite/hooks/pre-exit b/.buildkite/hooks/pre-exit
index c3d81b1a939..4defbe3bfc8 100755
--- a/.buildkite/hooks/pre-exit
+++ b/.buildkite/hooks/pre-exit
@@ -14,13 +14,13 @@ if [[ "$BUILDKITE_STEP_KEY" == *"integration-tests"* ]]; then
   SNAPSHOT=true mage integration:clean
 fi
 
-if [ -n "$GOOGLE_APPLICATION_CREDENTIALS" ]; then
+if [ -n "${GOOGLE_APPLICATION_CREDENTIALS:-}" ]; then
   if test -f "$GOOGLE_APPLICATION_CREDENTIALS"; then
     rm $GOOGLE_APPLICATION_CREDENTIALS
   fi
 fi
 
-if [ -n "$TEST_INTEG_AUTH_GCP_SERVICE_TOKEN_FILE" ]; then
+if [ -n "${TEST_INTEG_AUTH_GCP_SERVICE_TOKEN_FILE:-}" ]; then
   if test -f "$TEST_INTEG_AUTH_GCP_SERVICE_TOKEN_FILE"; then
     rm $TEST_INTEG_AUTH_GCP_SERVICE_TOKEN_FILE
   fi