Rotate your CircleCI secrets immediately

January 5, 2023

CircleCI has just announced a security breach: https://circleci.com/blog/january-4-2023-security-alert/

I’m seeing reports of people seeing cloud credentials being used from an unknown source.

A best practice is to use OIDC for your CI provider to connect to your cloud instead of static credentials. These short-lived tokens are far more secure, especially when these situations come up.

GitHub actions support OIDC, as well as CircleCI.

Something else you can choose to do is use a different secret store for your secrets. I’ve had some good success using AWS Secrets Manager with a GitHub action that pulled in secrets. The only thing that is exposed in GitHub Actions was the short-lived token from OIDC.

Master GitHub Actions with a Senior Infrastructure Engineer

As a senior staff infrastructure engineer, I share exclusive, behind-the-scenes insights that you won't find anywhere else. Get the strategies and techniques I've used to save companies $500k in CI costs and transform teams with GitOps best practices—delivered straight to your inbox.

Not sure yet? Check out the archive.

Unsubscribe at any time.