Rotate your CircleCI secrets immediately
CircleCI has just announced a security breach: https://circleci.com/blog/january-4-2023-security-alert/
I’m seeing reports of people seeing cloud credentials being used from an unknown source.
A best practice is to use OIDC for your CI provider to connect to your cloud instead of static credentials. These short-lived tokens are far more secure, especially when these situations come up.
GitHub actions support OIDC, as well as CircleCI.
Something else you can choose to do is use a different secret store for your secrets. I’ve had some good success using AWS Secrets Manager with a GitHub action that pulled in secrets. The only thing that is exposed in GitHub Actions was the short-lived token from OIDC.
Join the 80/20 DevOps Newsletter
If you're an engineering leader or developer, you should subscribe to my 80/20 DevOps Newsletter. Give me 1 minute of your day, and I'll teach you essential DevOps skills. I cover topics like Kubernetes, AWS, Infrastructure as Code, and more.
Not sure yet? Check out the archive.
Unsubscribe at any time.