名称:秘密管理 描述:使用Vault、AWS Secrets Manager或原生平台解决方案为CI/CD管道实现安全的秘密管理。适用于处理敏感凭据、轮换秘密或保护CI/CD环境时。
秘密管理
使用Vault、AWS Secrets Manager和其他工具为CI/CD管道提供安全的秘密管理实践。
目的
在CI/CD管道中实现安全的秘密管理,避免硬编码敏感信息。
何时使用
- 存储API密钥和凭据
- 管理数据库密码
- 处理TLS证书
- 自动轮换秘密
- 实现最小权限访问
秘密管理工具
HashiCorp Vault
- 集中式秘密管理
- 动态秘密生成
- 秘密轮换
- 审计日志
- 细粒度访问控制
AWS Secrets Manager
- AWS原生解决方案
- 自动轮换
- 与RDS集成
- CloudFormation支持
Azure Key Vault
- Azure原生解决方案
- HSM支持密钥
- 证书管理
- RBAC集成
Google Secret Manager
- GCP原生解决方案
- 版本控制
- IAM集成
HashiCorp Vault集成
设置Vault
# Start Vault dev server
vault server -dev
# Set environment
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN='root'
# Enable secrets engine
vault secrets enable -path=secret kv-v2
# Store secret
vault kv put secret/database/config username=admin password=secret
使用Vault的GitHub Actions
name: Deploy with Vault Secrets
on: [push]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Import Secrets from Vault
uses: hashicorp/vault-action@v2
with:
url: https://vault.example.com:8200
token: ${{ secrets.VAULT_TOKEN }}
secrets: |
secret/data/database username | DB_USERNAME ;
secret/data/database password | DB_PASSWORD ;
secret/data/api key | API_KEY
- name: Use secrets
run: |
echo "Connecting to database as $DB_USERNAME"
# Use $DB_PASSWORD, $API_KEY
使用Vault的GitLab CI
deploy:
image: vault:latest
before_script:
- export VAULT_ADDR=https://vault.example.com:8200
- export VAULT_TOKEN=$VAULT_TOKEN
- apk add curl jq
script:
- |
DB_PASSWORD=$(vault kv get -field=password secret/database/config)
API_KEY=$(vault kv get -field=key secret/api/credentials)
echo "Deploying with secrets..."
# Use $DB_PASSWORD, $API_KEY
参考: 见 references/vault-setup.md
AWS Secrets Manager
存储秘密
aws secretsmanager create-secret \
--name production/database/password \
--secret-string "super-secret-password"
在GitHub Actions中检索
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-west-2
- name: Get secret from AWS
run: |
SECRET=$(aws secretsmanager get-secret-value \
--secret-id production/database/password \
--query SecretString \
--output text)
echo "::add-mask::$SECRET"
echo "DB_PASSWORD=$SECRET" >> $GITHUB_ENV
- name: Use secret
run: |
# Use $DB_PASSWORD
./deploy.sh
使用AWS Secrets Manager的Terraform
data "aws_secretsmanager_secret_version" "db_password" {
secret_id = "production/database/password"
}
resource "aws_db_instance" "main" {
allocated_storage = 100
engine = "postgres"
instance_class = "db.t3.large"
username = "admin"
password = jsondecode(data.aws_secretsmanager_secret_version.db_password.secret_string)["password"]
}
GitHub Secrets
组织/仓库秘密
- name: Use GitHub secret
run: |
echo "API Key: ${{ secrets.API_KEY }}"
echo "Database URL: ${{ secrets.DATABASE_URL }}"
环境秘密
deploy:
runs-on: ubuntu-latest
environment: production
steps:
- name: Deploy
run: |
echo "Deploying with ${{ secrets.PROD_API_KEY }}"
参考: 见 references/github-secrets.md
GitLab CI/CD变量
项目变量
deploy:
script:
- echo "Deploying with $API_KEY"
- echo "Database: $DATABASE_URL"
受保护和掩码变量
- Protected: 仅在受保护分支中可用
- Masked: 在作业日志中隐藏
- File type: 存储为文件
最佳实践
- 切勿将秘密提交到Git
- 为每个环境使用不同的秘密
- 定期轮换秘密
- 实现最小权限访问
- 启用审计日志
- 使用秘密扫描(GitGuardian、TruffleHog)
- 在日志中掩码秘密
- 加密静态秘密
- 尽可能使用短期令牌
- 记录秘密需求
秘密轮换
使用AWS自动轮换
import boto3
import json
def lambda_handler(event, context):
client = boto3.client('secretsmanager')
# Get current secret
response = client.get_secret_value(SecretId='my-secret')
current_secret = json.loads(response['SecretString'])
# Generate new password
new_password = generate_strong_password()
# Update database password
update_database_password(new_password)
# Update secret
client.put_secret_value(
SecretId='my-secret',
SecretString=json.dumps({
'username': current_secret['username'],
'password': new_password
})
)
return {'statusCode': 200}
手动轮换过程
- 生成新秘密
- 在秘密存储中更新秘密
- 更新应用程序以使用新秘密
- 验证功能
- 撤销旧秘密
外部秘密操作符
Kubernetes集成
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: vault-backend
namespace: production
spec:
provider:
vault:
server: "https://vault.example.com:8200"
path: "secret"
version: "v2"
auth:
kubernetes:
mountPath: "kubernetes"
role: "production"
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: database-credentials
namespace: production
spec:
refreshInterval: 1h
secretStoreRef:
name: vault-backend
kind: SecretStore
target:
name: database-credentials
creationPolicy: Owner
data:
- secretKey: username
remoteRef:
key: database/config
property: username
- secretKey: password
remoteRef:
key: database/config
property: password
秘密扫描
预提交钩子
#!/bin/bash
# .git/hooks/pre-commit
# Check for secrets with TruffleHog
docker run --rm -v "$(pwd):/repo" \
trufflesecurity/trufflehog:latest \
filesystem --directory=/repo
if [ $? -ne 0 ]; then
echo "❌ Secret detected! Commit blocked."
exit 1
fi
CI/CD秘密扫描
secret-scan:
stage: security
image: trufflesecurity/trufflehog:latest
script:
- trufflehog filesystem .
allow_failure: false
参考文件
references/vault-setup.md- HashiCorp Vault配置references/github-secrets.md- GitHub Secrets最佳实践
相关技能
github-actions-templates- 用于GitHub Actions集成gitlab-ci-patterns- 用于GitLab CI集成deployment-pipeline-design- 用于管道架构