EngineeringFeb 2, 20233 min read

Automating key rotation for CI/CD pipelines

Nick Ben

Technical Product Marketing Manager

Stylized dial presenting keys for a mechanical claw to select

With the CircleCI contexts API, you can save your team valuable time while enhancing security practices. We know maintaining your organization’s security is crucial. There are strict compliance requirements to meet, such as FedRAMP and GDPR, and a growing number of security threats and supply chain vulnerabilities to guard against. On CircleCI, customers can proactively manage security requirements in myriad ways, like managing your organization’s sensitive keys or secrets.

Secrets are used to build, test, and deploy across multiple projects. Sharing them among your team while maintaining their security can be difficult. In this article, we will cover how using the contexts API as part of your team’s security strategy can help automate your secret rotation according to best practices, providing the most protection possible.

Managing secrets with CircleCI contexts

To get the most out of CI/CD workflows on CircleCI, developers connect to private datastores and access-restricted services. Teams may even connect directly to their infrastructure to push production artifacts. CircleCI enables you to store credentials and other secrets securely in the form of contexts for use during builds.

Despite the countless hours and amount of brainpower that CircleCI and your organization put into keeping these values safe, no system is perfect. Good secrets hygiene includes rotating secrets periodically and when someone’s access has been revoked. If an employee leaves your company, or if someone in your organization is transferred to another department, all secrets they had access to should be rotated.

What about secret exposures you do not know about? An exception in a log may contain a secret value, exposing it to people who should not have access to it. Regularly rotating static secrets can help protect your organization from risk.

Our efforts to protect your secrets include encryption at rest and in transit, masking of secret values in build logs, and logging access to secret data stores by CircleCI employees. We are the first CI/CD tool to meet the rigorous security and privacy NIST-standards of FedRAMP, in addition to being SOC 2 Type II compliant.

Recommendations for secret rotation

CircleCI recommends automating your secret rotation to guard against human error and ensure that it is done on a regular basis. Here are some guidelines for using secrets with CircleCI:

  • Use the Principle of Least Privilege. Give only the exact permissions to the secrets you pass to CircleCI necessary for your builds and deploys.
  • Automate adding and updating secrets in CircleCI contexts using the CircleCI CLI or the API.
  • Schedule regular secret rotations that fit the unique needs and risk profile of your team.

The guidelines described in this article are especially relevant for large organizations, but even maintainers of small open-source projects may want to improve their secrets hygiene to prevent the breach of a popular library. With some upfront effort in design and automation, you can strengthen your security posture regardless of the size of your organization.

For more information on how to begin automating your secret rotation and creating environment variables using the API or CLI, check out our contexts documentation.

Copy to clipboard