Hi all. I have a CI job that uploads things to an S3 bucket. It uses an AWS access key and secret key provided in the environment in order to authenticate. My problem is pretty simple: even with variable masking on, any developer with access to create merge requests on the repository can do this:
echo $CACHE_ACCESS_SECRET_KEY | tr 'A-Za-z' 'N-ZA-Mn-za-m'
to get a handy rot13-encoded version of the secret key visible in the job log.
Now, the CI wiki tells me “Masking a CI/CD variable is not a guaranteed way to prevent malicious users from accessing variable values. To make variables more secure, you can use external secrets.” but I don’t know if this is actually much more helpful. The wiki page for external secrets explains that the secret is stored either in a temporary file (which is, presumably, readable by the builder) or directly in the environment, which doesn’t do anything to stop a malicious developer.
In general, what is the best way to solve this problem? Is it possible to prevent pipelines from triggering if there are changes to the CI yaml files, until those changes have been authorized by some trusted party?