Seeking CircleCI users for secrets management feedback

Hi there!

Thanks for using CircleCI! The product team is looking for feedback from CircleCI users that are interested in secrets integrations and management for their CI/CD process.

Lead Product Designer

I’m not sure my views are worth 75c, let alone $75, but the reason why I’ve created an account at CircleCI is due to the fact that Doppler has a level of integration with CircleCI and after a few months of fighting with the secret store on another CI system I needed something better.

Having every service provide its own secrets management is great if you plan to only use one or 2 services and maybe a single deployment environment, beyond that a dedicated tool like Doppler seems to make far more sense.

I’m not saying that Doppler is perfect, but it does solve the issue with every service having hidden secrets/keys. This may improve the security of the service (as the values can not be accessed), but it still results in the need to manage those values in a secure way elsewhere, while also needing a system to allow the tracking of their use and they’re updated over time.

Since I noticed this, I’ll chip in my $0.04: To me, having some way to

a) Bootstrap an external secrets service (whether a cloud provider secret manager or the one above) and inject env from those values
b) Rotate secrets in contexts / projects easily / more easily
c) Continue improving on hiding / masking secrets in builds and when connecting via ssh
d) Making more granular control around ssh access to builds

It would also be great if there were some clever ways to grant implicit access to GCP / AWS via a service account or role ID vs. having to have a secret at all – this would allow granting Circle access to resources without having to actually use a secret at all.

Thanks for your input @rit1010!

Thanks for your thoughts @wyardley! I really appreciate it.

It would be worth you looking at Doppler as your list is much like the one I started from.

Currently, in my test environment, I have Doppler pushing key pairs that it manages to CircleCI at the project level, so the key pairs end up populating the project’s Environment Variables with CircleCI. I also have Doppler’s cli correctly injecting key pairs into docker command lines within runners, which does a great job of masking the key pairs used as CircleCI never sees them.

So the integration works well, its a shame that I am hitting issues elsewhere in my evaluation.