Controlling access to secrets within Continuous Integration and Delivery (CI/CD) systems is very important. CI/CD those systems often use credentials with highly-privileged access to create and publish business critical artifacts and application deployments.
Yet, some CI/CD systems do not have any sort of access control mechanism built into the product to ensure that only an authorized Job or User has access to a credential. Secrets are often stored in CI systems in a global scope such that any User or Job within access to the system can access any secret. And when those access control functions exist, they often aren’t used.
What I mean by this is that a Job that manages application deployments for Team A’s development environment should not have access to the credentials for Team A’s production environment, let alone Team B’s production environment.
Everything “works fine” and things move along because “everyone trusts each other” until a deploy job accidentally references the wrong credential and blows away production.
Even if you trust everyone not to act maliciously (umm… you shouldn’t), why should people be subjected to the stress of knowing they might run a job and blow something up accidentally? I know I don’t want that burden in my life if I can help it.
So, today, I’d like to provide a few pointers on how to do this.
In Jenkins, you’ll need the ‘Credentials’ plugin, which is included by default. The Credentials plugin user guide explains the default global, system, and user scopes within Jenkins and how permissions can be assigned to a given credential. The guide also explains how you can introduce and use the Authorize Project and Folder plugins to provide credentials to a Job or set of Jobs.
GitLab Enterprise has a feature tolimit the use and scope of environment variable to a branch or environment.
CircleCI recently launched a feature called Restricted Contexts to share secrets amongst teams and jobs safely.
CodeFresh provides a generalized access control policy language that can be used to manage access to all kinds of objects inside CodeFresh, including the shared configurations used for secrets.
If you feel like your setup for managing access to CI/CD system secrets is good and want to share it with others, please drop me a note and I’ll share it with the list!
Receive #NoDrama articles in your inbox whenever they are published. Reply to Stephen and the QualiMente team when you want to dig deeper into a topic.