Securing Application Secrets in CI/CD Pipelines

Securely Accessing Application Secrets in CI/CD Pipelines

Question

Your application artifacts are being built and deployed via a CI/CD pipeline.

You want the CI/CD pipeline to securely access application secrets.

You also want to more easily rotate secrets in case of a security breach.

What should you do?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

C.

Option A: Prompt developers for secrets at build time. Instruct developers to not store secrets at rest. This approach is not recommended because it requires developers to manually enter secrets at build time, which is not only time-consuming but also error-prone. Additionally, storing secrets in plain text, even temporarily, increases the risk of a security breach.

Option B: Store secrets in a separate configuration file on Git. Provide select developers with access to the configuration file. This approach is slightly better than Option A, as it centralizes the storage of secrets in a separate configuration file that can be securely managed using Git. However, it still requires granting access to the configuration file to select developers, which increases the risk of a security breach if access is not properly managed.

Option C: Store secrets in Cloud Storage encrypted with a key from Cloud KMS. Provide the CI/CD pipeline with access to Cloud KMS via IAM. This approach is a recommended best practice for securely managing application secrets in a CI/CD pipeline. Secrets are stored in an encrypted format in Cloud Storage, and access to the secrets is managed by Cloud KMS, which provides centralized key management. IAM can be used to grant the CI/CD pipeline access to the appropriate keys in Cloud KMS to decrypt the secrets at runtime. This approach also allows for easy rotation of secrets in case of a security breach.

Option D: Encrypt the secrets and store them in the source code repository. Store a decryption key in a separate repository and grant your pipeline access to it. This approach is not recommended because storing secrets in the source code repository, even if they are encrypted, increases the risk of a security breach. Additionally, storing the decryption key in a separate repository does not add much value in terms of security, as it still requires granting access to the decryption key to the CI/CD pipeline.

Therefore, Option C is the best approach for securely managing application secrets in a CI/CD pipeline.