1. Home
  2. Automation
  3. Secrets Management in CI/CD Pipelines
Searching...

Secrets Management in CI/CD Pipelines

Contents

Summary: This playbook outlines a secure, repeatable approach to managing secrets in CI/CD pipelines. It covers common tools, risk mitigation strategies, workflows, and best practices that should be integrated into your organization’s software delivery lifecycle.

1. Purpose

To define a standard operating procedure (playbook) for managing sensitive values (“secrets”) in CI/CD pipelines, such as API keys, database credentials, tokens, and cryptographic keys. The objective is to reduce the risk of accidental exposure and unauthorized access.

2. Scope

This playbook applies to all DevSecOps engineers, platform teams, and application developers managing continuous integration and deployment processes using tools like GitHub Actions, GitLab CI/CD, Jenkins, and HashiCorp Vault.

3. Definitions

  • Secret: Any sensitive information such as passwords, tokens, or private keys.
  • Vault: A secure storage mechanism for secrets (e.g., HashiCorp Vault, AWS Secrets Manager).
  • Scoped Secrets: Secrets limited in access to specific environments or contexts.
  • Ephemeral Secrets: Short-lived credentials dynamically generated at runtime.

4. Roles & Responsibilities

  • DevSecOps Team: Maintains vaulting infrastructure, enforces policies, and audits usage.
  • Developers: Consume secrets securely via CI/CD and report misconfigurations or exposures.
  • Security Team: Oversees access controls and ensures compliance with regulatory standards.

5. Tooling Overview

  • GitHub Actions: Use encrypted secrets and environment-level protection with OIDC integration.
  • GitLab CI: Use masked, protected CI/CD variables and Vault integration.
  • Jenkins: Use the Credentials Plugin and secure pipeline libraries.
  • Vault Tools: HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, etc.

6. Implementation Steps

  1. Identify secrets required by the pipeline or application (e.g., DB credentials, tokens).
  2. Classify secrets based on sensitivity and environment (dev, test, prod).
  3. Store secrets in a secure vault or encrypted secret manager.
  4. Configure CI/CD to fetch secrets securely (OIDC, short-lived tokens preferred).
  5. Inject secrets at runtime via environment variables or secret mounting (never in code).
  6. Implement automatic rotation and expiration policies where possible.
  7. Audit usage and access logs on a regular basis.

7. Best Practices

  • Do not store secrets in source control (even encrypted files).
  • Use fine-grained IAM policies to control access to secrets.
  • Prefer environment-specific secrets over global values.
  • Use ephemeral credentials issued through identity federation where possible (OIDC, IAM roles).
  • Restrict write access to secret storage platforms.
  • Enable alerting on access anomalies or secrets misconfiguration.

8. Example Integration: GitHub Actions + AWS OIDC

This example demonstrates a secure pattern for CI/CD pipelines to access AWS secrets using OIDC-based federation.

permissions:
  id-token: write
  contents: read

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          role-to-assume: arn:aws:iam::123456789012:role/GitHubOIDCRole
          aws-region: us-east-1

      - name: Access secure secret
        run: aws ssm get-parameter --name "/app/prod/db_password" --with-decryption

9. Diagrams

OIDC-Based Secret Access: GitHub Actions + HashiCorp Vault
This diagram illustrates how GitHub Actions securely accesses secrets from HashiCorp Vault using OIDC federation, without relying on long-lived static credentials.

10. Implementation Checklist

  • ☑️ Secrets stored outside of source control (e.g., Vault, SSM, Key Vault)
  • ☑️ Role-based access control enforced on secret access
  • ☑️ OIDC or federated auth configured (if supported)
  • ☑️ Secrets scoped by environment (dev, staging, prod)
  • ☑️ Runtime injection of secrets (not baked into images or config files)
  • ☑️ Expiration or rotation policy defined per secret
  • ☑️ Access logs audited periodically

11. Common Pitfalls

  • Hardcoding secrets: Secrets accidentally committed to repos or config files
  • Over-permissive access: Developers or services with full access to all environments
  • Improper token scoping: Static tokens or long-lived AWS credentials used in CI jobs
  • Echoing secrets in logs: Printing secrets via echo $VAR or debug flags
  • Missing secret revocation process: No defined procedure when staff leaves or tokens are compromised
  • Using plaintext secrets during local testing: No separation between dev/test secrets and production-level security

12. References

Updated on May 12, 2025
Tagged:
Was this article helpful?
Yes No

Related Articles

Leave a Comment