Secrets in CI/CD
Securely store, access, and rotate sensitive credentials used in CI/CD pipelines without exposing them in code or logs.
Description
Secrets in CI/CD addresses the challenge of providing sensitive credentials (API keys, database passwords, signing keys, cloud provider credentials, Docker registry tokens) to automated pipelines without exposing them in source code, build logs, or artifacts. Every CI/CD platform provides encrypted secret storage that injects values as environment variables at runtime, masked from log output.
Best practices include using the CI platform's built-in secret storage (GitHub Actions secrets, GitLab CI variables) for pipeline-specific values, with references to external secret managers (AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager) for production credentials. OIDC-based authentication (e.g., GitHub Actions OIDC with AWS IAM roles) eliminates the need for long-lived access keys entirely by exchanging short-lived, scoped tokens. Secrets should be scoped to the minimum necessary environment (production secrets only accessible to production deployment jobs).
Secret rotation must be planned from the start: credentials should be rotated on a schedule (90 days is common) and immediately upon suspected compromise. The rotation process should be automated and tested to avoid outages. Audit logging should track which pipelines accessed which secrets and when. Never echo, print, or log secret values -- CI platforms mask known secrets in logs, but derived values (e.g., base64-encoded secrets) may not be automatically masked. Store Docker image pull secrets and Helm values containing credentials in the CI platform's secret store, never in version control.
Prompt Snippet
Configure GitHub Actions secrets at the repository and environment level. Use environment protection rules to restrict production secrets to the deploy job with required reviewers. Eliminate AWS static credentials by configuring OIDC federation: create an IAM OIDC provider for token.actions.githubusercontent.com, define an IAM role with a trust policy scoped to the repo and branch (sub: repo:org/repo:ref:refs/heads/main), and use aws-actions/configure-aws-credentials@v4 with role-to-assume. For database credentials, fetch from AWS Secrets Manager at deploy time using the AWS CLI, never store in GitHub secrets. Add a CI step that runs trufflehog or gitleaks to scan for accidentally committed secrets on every PR.
Tags
Related Terms
CI/CD Pipeline Design
Automate building, testing, and deploying code through a structured pipeline triggered by version control events.
GitHub Actions Workflows
Define automated CI/CD workflows using YAML files triggered by GitHub events like pushes, pull requests, and releases.
Environment Variable Management
Externalize application configuration into environment variables to separate config from code across environments.
Infrastructure as Code (Terraform basics)
Define and provision cloud infrastructure using declarative configuration files that are version-controlled and peer-reviewed.