I'm planning to run database migrations through CI before deploying a new build to my server. To do this, I'm using GitHub Actions to set environment variables for my database connection using GitHub Secrets. Here's a snippet of my workflow:
```yaml
name: Run database migrations
run: node scripts/run-migrations.js
env:
DB_HOST: ${{ secrets.RDS_HOST }}
DB_PORT: ${{ secrets.RDS_PORT }}
DB_USERNAME: ${{ secrets.RDS_USERNAME }}
DB_PASSWORD: ${{ secrets.RDS_PASSWORD }}
DB_DATABASE: ${{ secrets.RDS_DATABASE }}
```
I've heard mixed opinions on whether it's good practice to store AWS credentials in GitHub Secrets. Is this method safe, or should I consider alternative approaches? What do you recommend for handling these credentials securely?
5 Answers
Storing secrets in GitHub is usually safe for many scenarios, but how you handle and expose them is crucial. If you're careful about permissions and access, you're likely on the right track.
You could also just call your secrets manager from GitHub Actions, saving only the access credentials in GitHub Secrets. That way, you limit exposure and add more layers of security.
Are you using a GitHub runner inside your own VPC? If so, you might want to fetch secrets from a local store, like AWS Secrets Manager or HashiCorp Vault, instead of GitHub Secrets directly.
Your setup might expose the RDS instance if it’s publicly accessible, which isn't ideal. Instead of relying solely on GitHub Secrets, consider using OIDC to authenticate with AWS for temporary credentials. You could also use RDS IAM authentication specifically for running migrations. Using permanent keys can make your setup less secure. So, rethink the overall architecture.
OIDC sounds promising. I need to look into how it works with AWS.
That makes sense! I wasn’t sure about the implications of leaving the DB public. Thanks for the suggestion!
There's nothing inherently wrong with using GitHub Secrets. The concern usually lies in how you use the IAM Users. If possible, try to avoid them and go with temporary roles or OIDC – it's a more secure route. But generally, GitHub Secrets can be safe if managed properly.
What do you suggest besides IAM Users for AWS access?
Great point! I hadn't thought of that option for better security.