Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is it safe to use GitLab CI «protected» variables for secrets?

Tags:

gitlab

I haven't found any way to pass secret variables in GitLab CI pipelines except with so-called «protected» variables. Any other variables can be revealed by any committer as every commit/branch goes throw a pipeline and the code can be modified.

I don't like protected variables because they are too complicated. I need to grant access to some variable to certain people like I do in SQL-databases or Linux filesystems. Instead, I have to make a protected variable, a protected branch, a protected environment (premium feature). And I have to add the maintainer permission level to some users. And then (maybe) they will the only people to access my secret variables.

Also, I have no idea how are those variables stored. Usually, I use Hashicorp Vault and now GitLab is the weakest security point.

Is it safe enough? Are there more reliable methods to keep secrets in CI pipelines?

like image 225
Gregory Avatar asked Jul 21 '19 22:07

Gregory

People also ask

Are GitLab CI variables secure?

GitLab CI allows you to define per-project or per-group secret variables. The secret variables are stored outside of the repository (not in . gitlab-ci. yml ) and are securely passed to the GitLab Runner making them available during a pipeline run.

What are protected variables in GitLab?

Protected variables are only available if there is a job on a protected branch or tag. The reasoning behind this is to allow setups which prevent right escalations. E.g. Credentials for the testing environment for Developers on all branches and deployable credentials only on master/release branches.

Is it safe to use GitLab shared runners?

Fortunately, http://gitlab.com seems to be sharing only docker runners. docker runners are generally safe* because every build runs in a new container, so there's nothing to worry.

1 Answers

issue 13784 refers to an encryption at REST, so the security is not... optimal

There is an epic opened to improve that, and you can setup an Vault integration, but there is not one by default.
Issue 61053 is about solving that: "Vault integration for key/value secrets MVC"

More and more teams are starting to store their secrets in Vault.
We should provide a secure way to fetch short-lived tokens from Vault that can be used at runtime by a job in a CI/CD pipeline.

This is for GitLab 12.3, Sept. 2019.

like image 133
VonC Avatar answered Oct 04 '22 23:10

VonC
Sign in to Comment

Related questions

Jenkins Error : Could not checkout <branch name> with start point <SHA1>
Clone gitlab project that uses git lfs without giving password all the time
Gitlab markdown links to artifacts
Install Gitlab on AWS
In Gitlab CI build, I can't ssh into AWS EC2 by private key
Do I commit all the modified files after a `git pull`?
MSBUILD publish ERROR_USER_UNAUTHORIZED
Configuring ssh runner for gitlab ssh denied
replace the remote branch with the local one
How to force GitLab to run a complete pipeline before starting a new one?
How to configure Jenkins to access Gitlab private repository without Gitlab plugin?
Starting the postgres service on Gitlab-CI
How to add webhooks in gitlab for multibranch pipeline jenkins
GitLab: Mount /builds in build image as tmpfs
GitLab - reference file line/lines range with snippet in issue
How to add postgis extension to postgresql database in gitlab-ci.yml
GitLab CI/CD unset variables set in CI / CD Settings
Gitlab-installed Helm: Error: context deadline exceeded
How to activate GitLab Pages in an existing project?
Can't Use Puppeteer -- Error: Failed to launch chrome

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!