Secrets Management in Automated Pipelines
Patterns for storing, rotating, and injecting secrets in CI/CD without exposing credentials in logs or artifacts.
Secrets Management in Automated Pipelines
Problem statement
Credentials in environment variables, .env files, or build logs remain a top cause of cloud compromise. Automated pipelines multiply exposure surface.
Recommended architecture
Developer → OIDC / short-lived token → CI runner
↓
Secrets manager (Vault / cloud SM)
↓
Runtime workload (IRSA, workload identity)Controls
1. Never persist secrets in artifacts
- Mask variables in CI logs
- Scan git history with gitleaks or trufflehog on every PR
- Reject builds that embed secrets in Docker layers
2. Prefer dynamic credentials
| Platform | Pattern |
|---|---|
| AWS | OIDC → IAM role for GitHub Actions |
| GCP | Workload identity federation |
| Azure | Federated credentials |
| Kubernetes | External Secrets Operator + Vault |
3. Rotation policy
| Secret type | Rotation |
|---|---|
| API keys (third-party) | 90 days |
| Database passwords | 30–60 days |
| TLS certificates | Auto via ACME |
| CI deploy tokens | Per-pipeline scoped, least privilege |
Pipeline snippet (conceptual)
# Fetch short-lived DB creds at job start never store in repo
export DB_PASS=$(vault kv get -field=password secret/app/prod/db)
npm run integration-tests
unset DB_PASSCompliance evidence
For SOC2/ISO audits, document: who can read secrets, rotation logs, break-glass procedure, and separation between prod/staging secret paths.