Skip to main content

Secrets Management in Automated Pipelines

Patterns for storing, rotating, and injecting secrets in CI/CD without exposing credentials in logs or artifacts.


Secrets Management in Automated Pipelines

Problem statement

Credentials in environment variables, .env files, or build logs remain a top cause of cloud compromise. Automated pipelines multiply exposure surface.

Recommended architecture

Developer → OIDC / short-lived token → CI runner Secrets manager (Vault / cloud SM) Runtime workload (IRSA, workload identity)

Controls

1. Never persist secrets in artifacts

  • Mask variables in CI logs
  • Scan git history with gitleaks or trufflehog on every PR
  • Reject builds that embed secrets in Docker layers

2. Prefer dynamic credentials

PlatformPattern
AWSOIDC → IAM role for GitHub Actions
GCPWorkload identity federation
AzureFederated credentials
KubernetesExternal Secrets Operator + Vault

3. Rotation policy

Secret typeRotation
API keys (third-party)90 days
Database passwords30–60 days
TLS certificatesAuto via ACME
CI deploy tokensPer-pipeline scoped, least privilege

Pipeline snippet (conceptual)

# Fetch short-lived DB creds at job start never store in repo export DB_PASS=$(vault kv get -field=password secret/app/prod/db) npm run integration-tests unset DB_PASS

Compliance evidence

For SOC2/ISO audits, document: who can read secrets, rotation logs, break-glass procedure, and separation between prod/staging secret paths.