在 Github 上的开源项目的 travis.yml 文件中公开 s3 秘密访问密钥是否存在安全风险?
[英]Is exposing a s3 secret access key in travis.yml file on an opensource project on Github a security risk?
问题描述
I don't know much about Amazon s3 but I assume something called secre_access_key probably should be a secret.
我不太了解 Amazon s3,但我认为名为 secre_access_key 的东西可能应该是一个秘密。 I'm reviewing a.travis.yml of someone's opensource project on Github and it is exposed.我正在审查 Github 上某人的开源项目的 a.travis.yml,它被公开了。 Is this something that the author overlooked or does this simply not matter because other users can't do anything with it?这是作者忽略的事情还是因为其他用户无法对它做任何事情而根本无关紧要?
2 个解决方案
解决方案1
3 2016-01-02 22:53:07
Travis provides a mechanism for storing encrypted data in.travis.yml that only travis can decrypt. Travis 提供了一种机制,用于将只有 travis 才能解密的加密数据存储在 .travis.yml 中。 It that's what is in the file then I wouldn't worry (I'd still only do this for a locked down IAM set of credentials).这就是文件中的内容,那么我不会担心(我仍然只会为锁定的 IAM 凭据集执行此操作)。
Assuming that's not what is in the file, Aws keys should definitely be secret.假设这不是文件中的内容,Aws 密钥绝对应该是秘密的。 In the worse case scenario (the credentials are for the root aws user) it could allow full control of the aws account (ec2, rds etc. - not just s3)在最坏的情况下(凭据用于 root aws 用户)它可以允许完全控制 aws 帐户(ec2、rds 等——不仅仅是 s3)
It could also be more benign - for example if they are the credentials for a limited privilege user that can only read some files from a specific s3 bucket.它也可能更良性——例如,如果它们是只能从特定 s3 存储桶中读取某些文件的有限权限用户的凭据。 I still wouldn't recommend checking in any credentials of any sort to a public repository.我仍然不建议将任何类型的任何凭据签入公共存储库。
解决方案2
0 2020-06-16 04:24:22
Yes, I faced a problem a company named https://leakd.io/ captured my key and gave me an ethical warning message.是的,我遇到了一个问题,一家名为https://leakd.io/的公司获取了我的密钥并给了我一条道德警告信息。
Please don't do that try environment var请不要那样做尝试环境变量
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.