From @kartikbb on Tue Oct 18 2016 08:41:55 GMT-0400 (EDT)
As of now, all admins can see the apple account username and password in “Deploy to ItunnesConnect” step which is big security issue.
Ideally, the password should not be displayed in plain text in the workflow editor. It should be masked.
Copied from original issue: https://github.com/bitrise-io/bitrise.io/issues/80
Provide write-only Secret Env Vars on bitrise.io (don't show the value on the Web UI after it's set)
From @viktorbenei on Tue Oct 18 2016 08:44:36 GMT-0400 (EDT)
Use Secret Env Vars if you don’t want to include something in your config, and don’t grant admin access to those you don’t want to have access to these information
From @kartikbb on Tue Oct 18 2016 08:47:57 GMT-0400 (EDT)
Even Secret Env Vars will also be visible to admins. I may have developers that manage builds and hence are added as admins. But i still do not want them to be able to see the password.
From @viktorbenei on Tue Oct 18 2016 08:49:41 GMT-0400 (EDT)
Makes sense, I guess adding a super admin role and restricting access of Secrets to this role would work. What do you think? Would that be sufficient?
From @kartikbb on Tue Oct 18 2016 14:12:01 GMT-0400 (EDT)
Well the least we can do is just mask the password for itunesconnect. Like we mask the password in the Code Signing Identity under workflow editor. That should be easy to do?
It would be nice to have a super-admin with full control of the visibility of secret variables.
Alternatively I’d still prefer write-only variables instead of the current configuration: our current setup exposes S3 keys, iTunes connect accounts etc to all admins and it’s not ideal.
Is there any update on this since October?
Thank you for your comment @FWFabio! No update yet, please vote on this #feature-request to bump its priority!
@viktorbenei – Any updates? It has been a while now on this feature, and seems to be a pretty big hole in security practices to have clear text passwords…
@AzureProd no update as this feature request is “low priority” right now, mainly because:
Secret values will be available in the build (that’s why you set those). So if someone has access to the editor (admins do) they can easily print that by modifying the workflow and starting a build which either prints the value or just sends it to somewhere, or stores it as an artifact attached to the build … The point is that if you’re an admin, you definitely can get those values, even if the values are not presented anywhere on the UI.
IMO making it write-only on the UI might even be misleading; indicating that something is write only when in reality the value can very well be retrieved during the build / by an admin.
This is not a bitrise specific thing, this is true for every CI/CD service. If you can affect the build (e.g. modify a script which runs during the build) you can get the value of secret variables.
We’re not against making it write only on the UI, I just wanted to share why this #feature-request got a low priority mark for now.
Happy Building!
P.S.: a related discussion: Allowing developers to modify workflows without exposing secrets
Write only / protected Secrets are now available: https://blog.bitrise.io/protect-your-secrets
Thanks everyone for voting on this #feature-request!
This topic was automatically closed after 14 days. New replies are no longer allowed.