问题
In my Gitlab CI, I need to push a docker image to AWS ECR, so I need AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
In Gitlab, when I go in Settings > CI / CD > Variables, I can put my variables, but I won't be able to mask AWS_SECRET_ACCESS_KEY as stated in the docs:
The value must be in a single line. The value must not have escape characters. The value must not use variables. The value must not have any whitespace. The value must be at least 8 characters long.
The SECRET has a format like xXxxX/lX+KgoS70+wZzzZz which doesn't pass the second criteria, so, I won't be able to mask the variables in logs, which is a serious security issue.
Is there any alternative ?
回答1:
My first idea was to tell you to encode AWS_ACCESS_KEY_ID in base64 but it doesn't work either for the same reason.
A workaround is described on gitlab forum for the same use case :
echo xXxxX/lX+KgoS70+wZzzZz | base64 -d | base32
An issue has been opened requesting to allow more special characters in masked variables.
Edit : it's now fixed in Gitlab 12.2, @ and : are also valid values.
回答2:
With GitLab 12.10, April 2020, this should be easier, both because:
- the Base64 alphabet (RFC4648) has been extended to accept
@and:(GitLab 12.2 as noted by Nicolas) - the AWS variables are listed in the UI so you can choose them more quickly.
Easy to configure AWS deployment variables
When deploying to AWS, applying the necessary environment variables should be as convenient as possible, and are validated.
You can now select the predefined variables for ‘AWS_ACCESS_KEY_ID’, ‘AWS_SECRET_ACCESS_KEY’ and ‘AWS_DEFAULT_REGION’ from the environment variable key list.
You’ll also see the variables you enter validated to ensure they are entered in a valid format.
来源:https://stackoverflow.com/questions/56019015/how-to-mask-aws-secret-access-key-in-gitlab-ci