manage secrets with Bamboo Yaml specs 2.0

ozbillwang December 12, 2019

with latest bamboo yaml specs 2.0, we are able to manage secrets variables with Bamboo Specs Encryption 

But the problem is, if the raw encryption is committed in source code as yaml specs, anyone who has read-only permission on its repository (git/stash/bitbucket) will be possible to re-use it. 

One user case is, I'd like to run deployment (IaC) with AWS account, so I need manage  aws api keys as secrets, and this aws api key has aws admin permission

Because of the bamboo specs variable encryption, anyone who can see the file `bamboo-specs/bamboo.yaml`, can copy and paste in his/her own yaml specs and will get full control on my aws accounts. 

This will be a big risk. 

In gitlab, travis, circleci, the secrets management is in seperate setting. It is not directly managed in yaml pipeine, it has settting that you can add secrets easily for that pipeline. 

When I am thinking how bamboo can handle this security concern, I found there are only two places we can manage secrets, global variables or build plan/deployment environment.

If we can manage secrets in project level, then each team (to each project) will be possible to manage their own secrets in small team, more than setting the secrets to global and can be used widely at enterprise level. 

1 comment

Boris Van Hardeveld
Marketplace Partner
Marketplace Partners provide apps and integrations available on the Atlassian Marketplace that extend the power of Atlassian products.
February 18, 2020

@ozbillwang I have create a plugin which might be of interest to you. It essentially allows you to manage your secrets external to Bamboo, and refer to them using plain text. Please find it at https://marketplace.atlassian.com/1221965. I would really appreciate any remarks, questions or feedback you might have.

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events