如何在 gitlab-ci 中屏蔽 AWS_SECRET_ACCESS_KEY [英] how to mask AWS_SECRET_ACCESS_KEY in gitlab-ci

问题描述

在我的 Gitlab CI 中，我需要将 docker 映像推送到 AWS ECR，因此我需要 AWS_ACCESS_KEY_ID 和 AWS_SECRET_ACCESS_KEY.

In my Gitlab CI, I need to push a docker image to AWS ECR, so I need AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

在 Gitlab 中，当我进入 Settings > CI/CD > Variables 时，我可以放置我的变量，但我无法像 docs:

In Gitlab, when I go in Settings > CI / CD > Variables, I can put my variables, but I won't be able to mask AWS_SECRET_ACCESS_KEY as stated in the docs:

该值必须在一行中.该值不得包含转义字符.该值不得使用变量.该值不能有任何空格.该值的长度必须至少为 8 个字符.

The value must be in a single line. The value must not have escape characters. The value must not use variables. The value must not have any whitespace. The value must be at least 8 characters long.

SECRET 的格式类似于 xXxxX/lX+KgoS70+wZzzZz 不符合第二个条件，因此，我将无法屏蔽日志中的变量，这是严重的安全问题.

The SECRET has a format like xXxxX/lX+KgoS70+wZzzZz which doesn't pass the second criteria, so, I won't be able to mask the variables in logs, which is a serious security issue.

还有其他选择吗?

推荐答案

我的第一个想法是告诉你在 base64 中编码 AWS_ACCESS_KEY_ID 但出于同样的原因它也不起作用.

My first idea was to tell you to encode AWS_ACCESS_KEY_ID in base64 but it doesn't work either for the same reason.

在 gitlab 论坛 用于相同的用例:

A workaround is described on gitlab forum for the same use case :

echo xXxxX/lX+KgoS70+wZzzZz | base64 -d | base32

打开了一个问题，要求允许更多特殊字符在掩码变量中.

An issue has been opened requesting to allow more special characters in masked variables.

编辑:现在 已修复 在 Gitlab 12.2 中，@ 和 : 也是有效值.

Edit : it's now fixed in Gitlab 12.2, @ and : are also valid values.

这篇关于如何在 gitlab-ci 中屏蔽 AWS_SECRET_ACCESS_KEY的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！