Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Best Practices for Utilizing Secrets and Enviro...

Best Practices for Utilizing Secrets and Environment Variables on Bitrise.

In this informative session, we will explore the best practices for effectively managing and utilizing secrets and environment variables on Bitrise, a powerful and popular continuous integration and delivery platform. Secrets and environment variables play a crucial role in securing sensitive information and configuring your workflows correctly.

Jerry Okafor

October 29, 2023
Tweet

Other Decks in Technology

Transcript

  1. Hello! My name is Jerry, Senior Android Engineer / Team

    Lead @Carbon. Passionate about Mobile Development and DevOps.
  2. Introduction Env Vars and Secrets forms part of the basic

    building block of any CI/CD pipeline. Bitrise provides a robust out of the box solutions to tackle the challenges associated with using Env vars and Secrets in your build workflow. Understand the difference between Env Vars and Secrets. Env Vars vs. Secrets. Understand how to handle sensitive data such as API key in your code base. Handling Sensitive Data in codebase. Understand how to integrate secrets and environment variables seamlessly into your Bitrise workflows. Use Env Vars and Secrets in a workflow Gain insights into troubleshooting common issues related to secrets and environment. Troubleshooting and Debugging.
  3. Env Vars (Key : Value) Env Var is a key

    value pair that holds data that you can use in your builds at various stages of the build including as a Step input.
  4. Secrets (Key : Secured Value) Secrets are a specific type

    of Environment Variable: they hide their information in an encrypted format and their value is not exposed in the build logs. They aren't shown in the bitrise.yml configuration either. You can store confidential information, such as passwords or API keys as Secrets.
  5. Important things to note about Env Vars and Secrets All

    Env Var and Secrets are stored as strings. 01 By default, the Env Var list size is 120 KB (Can be increased by using Script Steps) 02 The default size limit of an Env Var is 20 KB (Can be increased by using Script Steps) 03 Env Vars, unlike secrets, are fully exposed in builds triggered by pull requests so you should not add any sensitive information to Env Vars. 04
  6. Important things to note about Env Vars and Secrets A

    Secret's protection can't be undone. Making a Secret protected is irreversible. 05 Once a Secret has been marked as protected, you can't expose it to pull request builds. 06 If your app is a public app, you can't expose the app's Secrets to pull requests builds. 07 You can't use a newly created Environment Variable in the same Step in which it was created, it takes effect from the subsequent steps. 08
  7. Use Env Vars in your Workflows At this stage, the

    user declares the Env Var/Secrets. Bitrise will create it. Declaration At this stage, Bitrise processes the Env Vars / Secretes. Processing At this stage, the Env Var / Secrete is expose for read Expose At this stage, the Env Var / Secrete is available for use Available
  8. Declaration Users can declare Env Vars at 3 different levels:

    • App Level • Workflow Level • Step Level Users can set secrets using the Secrets tab or by modifying the input value of a Step marked as SENSITIVE Guides on how to do this are available on the Bitrise documentation.
  9. Declare Env Vars (App Level) On the top right hand

    side, click on the button labelled: ⌘ + S 5 A new key and value input field will show up, add the Env Var key and the value accordingly. 4 Click on: Add New 3 Scroll to section labelled: App Environment Variables 2 From the workflow Editor, Click on $ Env Vars 1
  10. Declare Env Vars (Workflow Level) On the top right hand

    side, click on the button labelled: ⌘ + S 5 A new key and value input field will show up, add the Env Var key and the value accordingly. 4 Click on: Add New 3 Scroll to section labelled: X-Workflow Environment Variables for required workflow 2 From the workflow Editor, Click on $ Env Vars 1
  11. Declare Env Vars (Step Level) On the top right hand

    side, click on the button labelled: ⌘ + S 5 Find the Env Var or Secret from the List and add it or create a new one for Secrets 3 Click on Insert variable for Env Var or Select Secret Variable for Secrets 2 From the workflow Editor, Click on, Select any step that uses Env Var / Secret 1
  12. You can set Environment Variables, regardless of level, in both

    the Workflow Editor, in your app's bitrise.yml file, or during a build with a custom Script using the envman tool
  13. Use Case 1: Using Env Var / Secret in the

    value of an Env Var / Secret You can, at any time, use another Env Var/Secret in the value of an Env Var/Secret - embedding the Env Var/Secret.
  14. All Env Vars have the is_expand property in the bitrise.yml.

    On the UI, this is represented by the Replace variables in inputs? toggle. We do NOT recommend enabling it, unless the value of your Env Var or Secret is another Env Var or Secret.
  15. Use Case 2: Setting and managing Env Vars during a

    build You can modify Env Var and Secrets during a build using a combination of Script Step and envman tool. Envman tools help you to read and write to Bitrise Env Vars and Secret among other things. You can call the envman from anywhere in the code as long as call it from a bitrise build.
  16. Use Case 2: Reading Env Vars / Secret from a

    common file There could be a need to read all our Env Vars / Secrets from one file such as local.properties for Java/Kotlin or .env file for Javascript. You can export all the needed Env Vars or Secret to the file before the build phase that needs it. Usually after repository clone and build environment setup.
  17. • Use secured code management (SCM) system. • Store sensitive

    data and code separately from your codebase. • Decide where these sensitive data will be stored. • Ensure secure connection between the source of data and your CI/CD. • Implement proper access control and decide who should have access to the sensitive data. • Ensure all sensitive data are stored as secret and encrypted. • Test and scan your code and environment regularly.