Deployment to AWS with secret keys

Hi folks,

Gitlab CI procedural question for ya’ll

We want to be able to deploy stuff into a private AWS account and have it work so that developers can commit their CI pipelines and the AWS CLI in the pipeline be authenticated.

Usually we’d stick the keys into environment variables in the CI pipeline and that would be that, but in this case the SA’s don’t want anyone outside of their team getting their hands on the keys, which is fair enough as its a production environment and they don’t want people going wild with AWS credentials.

So my question is, have other people come up with this type of scenario and what did you do to get around it? Can you deploy a runner inside the firewall and have it inject environment variables into the build containers so they exist purely on the runner?

Currently the solution is to mirror the git repo into AWS CodeCommit and have it manage the deployment into AWS Fargate or whatever, but its a bit… lacking, and takes extra time and configuration.


I should probably also point out the question isn’t AWS specific.

If you want to deploy to any environment where the SA is protective of the access keys, how do you do it in a secure manner?

Oh and also, I’d rather not restrict my developers to a “developer” role, I want them to manage their projects as they see fit.