Login/Register
Storing secrets and credentials securely in GitLab
Asked Answered
version-controlgitlabgitlab-cicredentialshashicorp-vault
W

3

25

I am wondering if it's possible to store credentials like passwords, tokens and keys safely in my GitLab project.

Currently there are a bunch of Java files with some passwords stored in it for testing purposes. However, I don't want to push this information on my repo due to security reasons. I tried using environment variables in the project, but they only seem to work for the .gitlab-ci.yml file.

My question is does anyone use a vault like Hashicorps or Blackbox to encrypt sensitive information?

Thanks

Wotton answered 13/12, 2019 at 10:34 Comment(1)
FWIW GitLab doesn't mask the secrets from Hashicorp Vault native integration. However, this integration can still be used to a benefit: it's easier to store, rotate and version control the secrets in the Vault and sync them into GitLab's project/group/instance secrets via i.e. TerraForm.Annoy
P
5

If you are not using environment variables in GitLab, then you are asking if it is possible to store secrets in GitLab. I have not done this myself, but I found this post about it:

https://embeddedartistry.com/blog/2018/03/15/safely-storing-secrets-in-git/

The author suggests three ways of storing secrets in git:

The author was using BlackBox, but was going to migrate to git-crypt. From a quick look at it, git-crypt looks like something that I could use myself.

Prestidigitation answered 13/12, 2019 at 11:24 Comment(0)
N
5

You can check out GitLab 12.9 (March 2020) which comes with:

HashiCorp Vault GitLab CI/CD Managed Application

GitLab wants to make it easy for users to have modern secrets management. We are now offering users the ability to install Vault within a Kubernetes cluster as part of the GitLab CI managed application process.

This will support the secure management of keys, tokens, and other secrets at the project level in a Helm chart installation.

See documentation and issue.

See also GitLab 13.4 (September 2020)

For Premium/Silver only:

Use HashiCorp Vault secrets in CI jobs

In GitLab 12.10, GitLab introduced functionality for GitLab Runner to fetch and inject secrets into CI jobs. GitLab is now expanding the JWT Vault Authentication method by building a new secrets syntax in the .gitlab-ci.yml file. This makes it easier for you to configure and use HashiCorp Vault with GitLab.

https://about.gitlab.com/images/13_4/vault_ci.png -- Use HashiCorp Vault secrets in CI jobs

See Documentation and Issue.

Nicolis answered 22/3, 2020 at 21:47 Comment(0)
I
3

GitLab will soon include a function for securely storing secrets called as GitLab Secrets Manager

Inviting answered 22/11, 2023 at 13:3 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.