[kodah]

Credentials in a config file can be mistakenly checked into a repository. They're easy to exfiltrate from files, say I write a script with well known configuration locations for thousands of applications and just dumbly pull them all from a compromised system. I now have little bits of access to the wider system where I can now jump from system to system.

The best way to store ephemeral secrets is in an environment variable or /dev/shm. This locks the secret behind the scope of the parent process (shell instance) and the user.

[dvt]

I don't get this logic, that's what .gitignore is for. I've been using .env files for years and never mistakenly checked one into a repo.

[mountainriver]

This happens literally all the time in large organizations. People make mistakes

[bottled_poe]

And should be easily caught in code reviews and CI jobs?

[viraptor]

Sure, and it will be caught by CI (if you set it up (properly)) and code review (if it happens (and nobody misses it (and no commits are pushed as a cleanup after (...)))).

So basically if everything works perfectly, you won't have that problem. We know processes don't work perfectly, so it's better to avoid that issue in the first place by never leaving the literal tokens in the config.

Also, even if your CI catches the problem, it's too late - your credentials are now in the repo and in the CI system and likely in your log collector attached to the CI. You'll need to roll them. Same with reviews.

[dotancohen]

Which occur after the code is in git and pushed.

[bottled_poe]

So change the secrets and/or find professional developers? Sorry, not sorry, it’s an amateur mistake, not acceptable in a professional environment. Why would an amateur possess the secrets in the first place?

[dotancohen]

I prefer a security model slightly more robust than "None of the professionals working on this project will ever make a mistake".

[d4mi3n]

Ever try cleaning Git commit history? How about having GitHub clear a repository cache containing a secret?

You’re not wrong, but this is a whole class of issue that can be avoided for trivial levels of effort.

[kristjansson]

It’s not just to protect secrets, it’s better architecture. Rely on an ACCESS_ID/SECRET_KEY pair and it’s easy to bind too tightly to that authentication mechanism. Then providing credentials in production is a pain. Use the standard credential provider chain and the transition to production settings is trivial.

[sverhagen]

Even if you want your credentials in SOME file, you don't want them in THAT file. Because that configuration file contains enough valuable configuration that SHOULD be in Git, in which case the credentials would be in the way.

[kodah]

idk what to tell you. I work on a security team, one of the tools the team built finds and identifies secrets already checked into VCS or ones at the pre-commit stage. It's certainly not a seldomly used tool.

[mdaniel]

I believe GP's comment is at the intersection of "the chain is only as strong as its weakest link" and "defenders have to be correct every time, attackers just once"

[fwip]

Defense in depth. It only takes one person on your team accidentally committing one file for one service before your .gitignore safeguard is no longer guarding anything.

[belthesar]

Tell that to Solarwinds.

[dboreham]

Still a bad idea though.

[osrec]

How do you automate setting that environment variable?

[dboreham]

For a specific example of one way how : https://github.com/99designs/aws-vault

[toomuchtodo]

Injection into the environment (container config, Docker, k8s, etc) or the execution context. The actual mechanics are highly dependent on where your secrets are and where they’re going for use. On a dev workstation, could just be some bash or Python using the AWS cli, for example.