Outside a Config File: Secrets Management

Helpful Resources Guides, Manuals, and Tutorials Self Service Configuration Review
, ,
1

Outside a Config File

Secrets Management

OIDC

Attempt to replace any static credentials used in CircleCI for connection to cloud environments with authentication using OIDC tokens. This is not available for all tools so some credentials may need to remain. A rotation policy should be created for those remaining credentials.

A common and secure alternative to having static credentials in CircleCI is storing them in a secrets manager, like Vault or AWS Secrets Manager. OIDC can be used to authenticate with the secrets manager tool and pull secrets into the job.

Contexts

For github orgs, ensure contexts are restricted to applicable security groups. If possible, migrate important secrets to a secrets manager and use OIDC to pull those secrets into jobs.

:arrow_forward: Next Step: Outside the Config: Storage Usage

:arrow_backward: Previous Step: Outside the Config: Security Settings

📑 Table of Contents

Self Service Configuration Review Overview

  1. Configuration Review Preparation
  2. Review Each Job for Improvement Opportunities
  3. Review Each Workflow for Improvement Opportunities
  4. High Level Improvement Opportunities
  5. Finalize Review