I am new to GitLab, so please pardon me if I am raising a stupid question here:
According to GitLab docs, secrets are either stored in the repository’s .gitlab-ci.yml CI/CD file or in the project’s properties section. Both can potentially be read by developers and maintainers or scripted to be read in a job.
In a highly confidential production environment, like, e.g., banking, none of the project members are supposed to get access to any of these secrets.
I was thinking about storing a database connection string in a GitLab variable, so the GitLab CI/CD pipeline will be able to set the project’s configuration accordingly on deployment. Access to both, the secrets and the deployment artifacts, should be denied to anyone in the team. And any logging should be impossible.
So, I wonder what is the preferred way of safely storing a secret in GitLab without any collaborator ever seeing it?
You can store variables under Settings → CI/CD → Variables.
If the mermber is owner or maintainer then they can see the variables. If they are developer or lower, they cannot see anything under Settings so means they cannot see the variables. Just checked/verified this on my Gitlab instance.
So, you suggest that’s rather an organizational question than a technical question?
From my experience, the development team is the owner of repositories. Yet, none of them is supposed to know any production configuration details. That’s the job of a demilitarized production deployment team.
I’m not suggesting anything of the sort of whether that is organisational/technical. You asked for assistance, I replied to help out but you seem somewhat unhappy either way. On my install, as I said I verified it. The developers do not see the variables - because they cannot get to the repository settings. Only the maintainer or owner can see them (verified by changing my permissions from developer to maintainer).
I believe you can use other methods for storing variables/secrets, eg: Hashicorp Vault, and use them in CI/CD if you believe the Gitlab variables option to be a problem for you.
If you are using Gitlab SaaS, you can store variables as an admin under Admin → Settings → CI/CD → Variables.
No one can see these variables other than Gitlab admins.