-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
printenv
prints the secrets in plaintext
#2107
Comments
How else do you expect services to read the secrets??? |
In 0.5 there was a conceal option for secrets. This was expensive to do and didn't handle multi line secrets. |
Please follow the issue template, the tracker should be used for confirmed issues, not just for something you just expect. If you are using global secrets instead of secrets scoped to specific plugins it's up to you to keep the secrets hidden, in that case you can enable gating and just decline a pull request that tries to print the secrets. |
printenv
prints the global secrets in plaintextprintenv
prints the secrets in plaintext
Extend secrets with an optional field to specify exactly which plugin(s) can access the secret, otherwise it will not even populate that container with that env var. Plugins would still have to "request" the secret with So for example, if you are publishing an image to Docker, the only place you need that secret is in Then the build steps will not even have these secrets injected into the environment, providing a bit more granularity in controlling the secrets. Secrets set per repoAt the small scale, this allows pipeline/repo admins to add appropriate secrets knowing that only the appropriate plugins can use them and changes to Secrets set by global secretsOn the org-scale level, global secrets could be injected by Drone operators (who may not be repo owners) for users to use with certain plugins (and versions), and rotate them out if need be all at once, while being able to "not trust" individual Let me know if any part of that doesn't make sense, happy to clarify. |
After looking at the docs' CLI section, I see this is already implemented 😆 |
I guess if Global Secrets' yml config got updated, this could be considered done? - name: docker_username
value: octocat
image:
- plugins/docker
- name: docker_password
value: correct-horse-batter-staple
image:
- plugins/docker |
@tonglil this is already possible from the command line and the global secrets file :) Example when configuring a secret from the command line: drone secret add \
-repository octocat/hello-world \
+ -image plugins/docker \
-name docker_username \
-value <value> This is also supported in the global secrets file, although not currently documented: - name: docker_password
value: correct-horse-battery-staple
repos: [ octocat/hello-world, github/* ]
+ images: [ plugins/docker ] |
Awesome, looks like I am making a PR to the docs this week!
Tony Li
… On Aug 1, 2017, at 1:38 PM, Brad Rydzewski ***@***.***> wrote:
@tonglil this is already possible from the command line and the global secrets file :)
Example when configuring a secret from the command line:
drone secret add \
-repository octocat/hello-world \
+ -image plugins/docker \
-name docker_username \
-value <value>
This is also supported in the global secrets file, although not currently documented:
- name: docker_password
value: correct-horse-battery-staple
repos: [ octocat/hello-world, github/* ]
+ images: [ plugins/docker ]
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
the ability to conceal secrets was re-implemented to work with the new drone-runtime package, and will be re-introduced in 0.9 |
Drone version :
0.7.3
Reproduce: Run
printenv
in a drone stepActual: global secrets are printed with their values in plaintext
Expected: global secrets are printed with the values concealed (*)
The text was updated successfully, but these errors were encountered: