The recommended CircleCI guidelines seem to be use environment variables for different environments.
PROD_AWS_ACCESS_KEY_ID #for prod deployments DEV_AWS_ACCESS_KEY_ID #for dev deployments
However, there is no way to configure CircleCI to limit access to these variables at a branch level.
Thus any developer with write access to our git repository can modify the
.circleci/config.yml and use the
PROD_AWS_ACCESS_KEY_ID env variable to deploy dev/other malicious code to the production environment.
In fact, this can even happen by accident due to a dev potentially copy pasting some portion of the yaml code while editing.
This seems like a huge security issue and I am surprised CircleCI has no real workarounds/features in progress to address this.