with latest bamboo yaml specs 2.0, we are able to manage secrets variables with Bamboo Specs Encryption
But the problem is, if the raw encryption is committed in source code as yaml specs, anyone who has read-only permission on its repository (git/stash/bitbucket) will be possible to re-use it.
One user case is, I'd like to run deployment (IaC) with AWS account, so I need manage aws api keys as secrets, and this aws api key has aws admin permission
Because of the bamboo specs variable encryption, anyone who can see the file `bamboo-specs/bamboo.yaml`, can copy and paste in his/her own yaml specs and will get full control on my aws accounts.
This will be a big risk.
In gitlab, travis, circleci, the secrets management is in seperate setting. It is not directly managed in yaml pipeine, it has settting that you can add secrets easily for that pipeline.
When I am thinking how bamboo can handle this security concern, I found there are only two places we can manage secrets, global variables or build plan/deployment environment.
If we can manage secrets in project level, then each team (to each project) will be possible to manage their own secrets in small team, more than setting the secrets to global and can be used widely at enterprise level.