如何在gitlab-ci中屏蔽AWS_SECRET_ACCESS_KEY [英] how to mask AWS_SECRET_ACCESS_KEY in gitlab-ci
问题描述
在Gitlab CI中,我需要将Docker映像推送到AWS ECR,因此我需要 AWS_ACCESS_KEY_ID
和 AWS_SECRET_ACCESS_KEY
。
In my Gitlab CI, I need to push a docker image to AWS ECR, so I need AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
.
在Gitlab中,当我进入设置> CI / CD>变量时,我可以放置变量,但不能屏蔽文档 AWS_SECRET_ACCESS_KEY
>:
In Gitlab, when I go in Settings > CI / CD > Variables, I can put my variables, but I won't be able to mask AWS_SECRET_ACCESS_KEY
as stated in the docs:
该值必须在一行中。
该值不能包含转义字符。
该值不能使用变量。
该值不能包含空格。
该值的长度必须至少为8个字符。
The value must be in a single line. The value must not have escape characters. The value must not use variables. The value must not have any whitespace. The value must be at least 8 characters long.
SECRET的格式类似于 xXxxX / lX + KgoS70 + wZzzZz
不能通过第二个条件,因此,我将无法掩盖日志中的变量,这是一个严重的安全问题。
The SECRET has a format like xXxxX/lX+KgoS70+wZzzZz
which doesn't pass the second criteria, so, I won't be able to mask the variables in logs, which is a serious security issue.
还有其他选择吗?
推荐答案
我的第一个想法是告诉您编码 AWS_ACCESS_KEY_ID
在base64中,但是由于相同的原因它也不起作用。
My first idea was to tell you to encode AWS_ACCESS_KEY_ID
in base64 but it doesn't work either for the same reason.
在gitlab 论坛(针对同一用例):
A workaround is described on gitlab forum for the same use case :
echo xXxxX/lX+KgoS70+wZzzZz | base64 -d | base32
问题已经已打开,请求允许在掩码变量中使用更多特殊字符。
An issue has been opened requesting to allow more special characters in masked variables.
编辑:它已在Gitlab 12.2中已修复, @
和:
也是有效值。
Edit : it's now fixed in Gitlab 12.2, @
and :
are also valid values.
这篇关于如何在gitlab-ci中屏蔽AWS_SECRET_ACCESS_KEY的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!