如何在 gitlab-ci 中屏蔽 AWS_SECRET_ACCESS_KEY [英] how to mask AWS_SECRET_ACCESS_KEY in gitlab-ci
问题描述
在我的 Gitlab CI 中,我需要将 docker 映像推送到 AWS ECR,因此我需要 AWS_ACCESS_KEY_ID
和 AWS_SECRET_ACCESS_KEY
.
In my Gitlab CI, I need to push a docker image to AWS ECR, so I need AWS_ACCESS_KEY_ID
and AWS_SECRET_ACCESS_KEY
.
在 Gitlab 中,当我进入 Settings > CI/CD > Variables 时,我可以放置我的变量,但我无法像 docs:
In Gitlab, when I go in Settings > CI / CD > Variables, I can put my variables, but I won't be able to mask AWS_SECRET_ACCESS_KEY
as stated in the docs:
该值必须在一行中.该值不得包含转义字符.该值不得使用变量.该值不能有任何空格.该值的长度必须至少为 8 个字符.
The value must be in a single line. The value must not have escape characters. The value must not use variables. The value must not have any whitespace. The value must be at least 8 characters long.
SECRET 的格式类似于 xXxxX/lX+KgoS70+wZzzZz
不符合第二个条件,因此,我将无法屏蔽日志中的变量,这是严重的安全问题.
The SECRET has a format like xXxxX/lX+KgoS70+wZzzZz
which doesn't pass the second criteria, so, I won't be able to mask the variables in logs, which is a serious security issue.
还有其他选择吗?
推荐答案
我的第一个想法是告诉你在 base64 中编码 AWS_ACCESS_KEY_ID
但出于同样的原因它也不起作用.
My first idea was to tell you to encode AWS_ACCESS_KEY_ID
in base64 but it doesn't work either for the same reason.
在 gitlab 论坛 用于相同的用例:
A workaround is described on gitlab forum for the same use case :
echo xXxxX/lX+KgoS70+wZzzZz | base64 -d | base32
打开了一个问题,要求允许更多特殊字符在掩码变量中.
An issue has been opened requesting to allow more special characters in masked variables.
编辑:现在 已修复 在 Gitlab 12.2 中,@
和 :
也是有效值.
Edit : it's now fixed in Gitlab 12.2, @
and :
are also valid values.
这篇关于如何在 gitlab-ci 中屏蔽 AWS_SECRET_ACCESS_KEY的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!