Ability for any user in Private repo to echo out secrets using drone file

Hi there,

We currently have an issue where within our private GitLab repo in which we are passing in AWS secrets using Drone v1. An issue has been raised that in the future anyone with malicious intent and access to the repo could create and push to an unprotected branch with something like an echo env command to export any of the secrets being passed into the build in the .drone.yml file.

Do you know if there is any solution to an issue like this? Is it possible to pull a drone file from an upstream repo or a way to still protect the drone file in a private setting?

Any advice anyone can offer would be greatly appreciated.



Are you using Repo Secret and stored for drone repository.
You can use organization secret or aws plugin:

Let me know if this doesn’t help.

Harness Support

Are you worried about secrets being exposed by people with write access to the repository?

Hi there, yes exactly. Theoretically anyone with write access could just change the drone file and just add in a step to export/echo the secrets in drone. Signatures and branch protections really don’t work in stopping this aspect of misuse.

We are storing our secrets in drone as it stands and call them “from_secret” in our drone file. Currently we haven’t explore adding the AWS plugin which we will try next, but I believe it would a useful solution would be to have an elevated level of signature which you could attach to the drone file that would only allow set users to sign, and thus, edit the drone file itself.

If you have any other suggestions to try I would love to hear them.

See What if someone trying to steal my secrets by editing .drone.yaml - #2 by ashwilliams1

1 Like