Separate Build And Runtime Secrets

It’s a good practice to separate the secrets you need at build time and at run time.

Here’s why:

Separating the two types of secrets minimizes the risk associated with secret exposure. Build-time secrets, if compromised, should not give access to environments or resources beyond your CI system.

Run-time secrets are often more critical as they might grant access to live databases, third-party services (Stripe), and other sensitive production resources.

Keeping them separate ensures that a compromise at one stage (build or run-time) does not automatically lead to a breach at another. And compromises do happen. CircleCI had a compromise in January 2023. Heroku had a compromise in April 2022.

Join the 80/20 DevOps Newsletter

If you're an engineering leader or developer, you should subscribe to my 80/20 DevOps Newsletter. Give me 1 minute of your day, and I'll teach you essential DevOps skills. I cover topics like Kubernetes, AWS, Infrastructure as Code, and more.

Not sure yet? Check out the archive.

Unsubscribe at any time.