Skip to main content

How to manage secrets securely in CI pipelines

Store, inject, and mask secrets in CI without leaking them. Covers scoped credentials, log masking, and replacing static keys with short-lived OIDC tokens.

Difficulty
Intermediate
Duration
40 minutes
Steps
6

What and why

Pipelines need credentials to deploy and publish, but those secrets must never appear in source, logs, or build artifacts. This tutorial shows how to store, inject, and mask secrets safely, and how to replace static keys with short-lived tokens.

Prerequisites

  • A CI pipeline.
  • Credentials your pipeline genuinely needs.
  • Basic security awareness.

Steps

1. Keep secrets out of the repo

Never commit tokens, even in private repos or history. Add a secret scanner to catch accidental commits, and rotate anything that leaks.

2. Store secrets in the CI vault

Use the CI platform's encrypted secret store or an external manager such as Vault. Secrets are encrypted at rest and only exposed to authorized jobs.

3. Inject secrets at runtime

      - run: ./deploy.sh
        env:
          API_TOKEN: ${{ secrets.API_TOKEN }}

Reference secrets only as environment variables for the step that needs them, not globally.

4. Scope and mask secrets

Limit each secret to the environment or job that requires it. CI automatically masks registered secret values in logs, but avoid printing them or passing them as command-line arguments where they can appear in process listings.

5. Use short-lived cloud credentials

Replace long-lived cloud keys with OIDC federation:

    permissions:
      id-token: write
    steps:
      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::111122223333:role/ci-deploy

The job exchanges a signed identity token for temporary credentials, so there is no static key to steal.

Verification

Add a step that echoes a secret and confirm CI masks it as ***. Check that no secret appears in artifacts. Confirm cloud access uses a temporary role session, not a stored access key.

Next Steps

Set expiry and rotation policies for any remaining static secrets. Restrict which branches can access production secrets. Audit secret usage regularly and remove unused entries.

Prerequisites

  • A CI pipeline
  • Credentials the pipeline needs
  • Basic security awareness

Steps

  • 1
    Keep secrets out of the repo
  • 2
    Store secrets in the CI vault
  • 3
    Inject secrets at runtime
  • 4
    Scope and mask secrets
  • 5
    Use short-lived cloud credentials
  • 6
    Verify nothing leaks

Category

CI/CD