with latest bamboo yaml specs 2.0, we are able to manage secrets variables with Bamboo Specs Encryption
But the problem is, if the raw encryption is committed in source code as yaml specs, anyone who has read-only permission on its repository (git/stash/bitbucket) will be possible to re-use it.
One user case is, I'd like to run deployment (IaC) with AWS account, so I need manage aws api keys as secrets, and this aws api key has aws admin permission
Because of the bamboo specs variable encryption, anyone who can see the file `bamboo-specs/bamboo.yaml`, can copy and paste in his/her own yaml specs and will get full control on my aws accounts.
This will be a big risk.
In gitlab, travis, circleci, the secrets management is in seperate setting. It is not directly managed in yaml pipeine, it has settting that you can add secrets easily for that pipeline.
When I am thinking how bamboo can handle this security concern, I found there are only two places we can manage secrets, global variables or build plan/deployment environment.
If we can manage secrets in project level, then each team (to each project) will be possible to manage their own secrets in small team, more than setting the secrets to global and can be used widely at enterprise level.
Hi, If you are running self-managed environments and looking to adopt modern infrastructure, Bamboo Data Center can now be deployed in a Kubernetes cluster. By leveraging Kubernetes, you can easily...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events