Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

printenv prints the secrets in plaintext #2107

Closed
ptagr opened this issue Jul 11, 2017 · 10 comments
Closed

printenv prints the secrets in plaintext #2107

ptagr opened this issue Jul 11, 2017 · 10 comments
Projects
Version 1.0

Comments

@ptagr
Copy link

ptagr commented Jul 11, 2017

Drone version : 0.7.3
Reproduce: Run printenv in a drone step
Actual: global secrets are printed with their values in plaintext
Expected: global secrets are printed with the values concealed (*)
@clayrisser
Copy link

How else do you expect services to read the secrets???

@donny-dont
Copy link

In 0.5 there was a conceal option for secrets. This was expensive to do and didn't handle multi line secrets.

@tboerger
Copy link

Please follow the issue template, the tracker should be used for confirmed issues, not just for something you just expect.

If you are using global secrets instead of secrets scoped to specific plugins it's up to you to keep the secrets hidden, in that case you can enable gating and just decline a pull request that tries to print the secrets.

@bradrydzewski bradrydzewski changed the title printenv prints the global secrets in plaintext printenv prints the secrets in plaintext Jul 12, 2017
@tonglil
Copy link

tonglil commented Aug 1, 2017
edited
Loading

Can I suggest a FR that could help with certain cases of this issue? Just read docs again and realized this is already implemented on the per-repo level.

Extend secrets with an optional field to specify exactly which plugin(s) can access the secret, otherwise it will not even populate that container with that env var. Plugins would still have to "request" the secret with secrets: [ docker_username, docker_password ], and any secret they request that they don't have access to would be empty string.

So for example, if you are publishing an image to Docker, the only place you need that secret is in plugins/docker and no where else. So when adding the secret, you add a list of plugins that will can get the secret: -image plugins/docker -image plugins/gcr:0.5 (if it needs it as well).

Then the build steps will not even have these secrets injected into the environment, providing a bit more granularity in controlling the secrets.

Secrets set per repo

At the small scale, this allows pipeline/repo admins to add appropriate secrets knowing that only the appropriate plugins can use them and changes to .drone.yml won't explose "these" secrets (it can still explose .netrc for example).

Secrets set by global secrets

On the org-scale level, global secrets could be injected by Drone operators (who may not be repo owners) for users to use with certain plugins (and versions), and rotate them out if need be all at once, while being able to "not trust" individual .drone.yml pipeline changes. For example, this could be a secret for publishing to a shared GCR bucket, or a Slack token for a pre-configured org Slack integration to send build notifications (so team's don't have to create their own Slack integration + more tokens).

Let me know if any part of that doesn't make sense, happy to clarify.

@tonglil
Copy link

tonglil commented Aug 1, 2017

UI could look something like this:
image

@tonglil
Copy link

tonglil commented Aug 1, 2017

After looking at the docs' CLI section, I see this is already implemented 😆

@tonglil
Copy link

tonglil commented Aug 1, 2017

I guess if Global Secrets' yml config got updated, this could be considered done?

- name: docker_username
  value: octocat
  image:
    - plugins/docker
- name: docker_password
  value: correct-horse-batter-staple
  image:
    - plugins/docker

@bradrydzewski
Copy link

@tonglil this is already possible from the command line and the global secrets file :)

Example when configuring a secret from the command line:

drone secret add \
  -repository octocat/hello-world \
+ -image plugins/docker \
  -name docker_username \
  -value <value>

This is also supported in the global secrets file, although not currently documented:

- name: docker_password
  value: correct-horse-battery-staple
  repos: [ octocat/hello-world, github/* ]
+ images: [ plugins/docker ]

@tonglil
Copy link

tonglil commented Aug 2, 2017 via email

@tonglil tonglil mentioned this issue Aug 14, 2017
Merged
@bradrydzewski
Copy link

the ability to conceal secrets was re-implemented to work with the new drone-runtime package, and will be re-introduced in 0.9

@bradrydzewski bradrydzewski added this to Done in Version 1.0 Apr 2, 2018
@GJKrupa GJKrupa mentioned this issue May 29, 2018
Closed
bot2-harness pushed a commit that referenced this issue Jun 14, 2024
@johannesHarness
Update principal uid for user/sa/service (#2107)
329181e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
No open projects
Version 1.0
Done
Milestone
No milestone
Development

No branches or pull requests
6 participants
@tboerger @donny-dont @bradrydzewski @ptagr @tonglil @clayrisser