HiveBrain v1.2.0
Get Started
← Back to all entries
snippetbashMinor

How to pass Gitlab env var with sensitive characters to bash script?

Submitted by: @import:stackexchange-devops··
0
Viewed 0 times
scriptvarsensitivepasswithgitlabhowcharactersenvbash

Problem

I have the following situation:
I'm storing sensitive data in Gitlab's environment and then passing these variables to a deployment script in bash.

Gitlab's env var:

Key: sensitive_var
Value: aaa$bbb*%


Then in the .gitlab-ci.yml file the env vars are passed to the deployment script as follows:

.deploy:
  script:
    - deploy.sh PASS=${sensitive_var}


The deployment script parses the arguments as follows:

for arg; do
  TEMP_VAR=$(echo ${arg} | sed -e 's?=? ?')
done


The problem is that when we check the output of the deploy.sh script the variable's value gets expanded resulting in aaa*%.

Solutions tried so far:

  • Storing the value in Gitlab's environment with single quotes ' but then the value was 'aaa*%'.



  • Passing the environment variable with double quotes:



.deploy:
  script:
    - deploy.sh PASS="${sensitive_var}"


.deploy:
  script:
    - deploy.sh PASS="$sensitive_var"


But the result was the same: aaa*%.

  • Combination of the above solutions didn't work either.



Why is this happening, and how I can fix it?

Solution

Surprisingly indeed GitLab works weirdly with the env vars.

It evaluates them internally, though it shouldn't in my view.

Value set as (in project Settings > CI/CD > Variables): 'aaa$bbb*%'

becomes 'aaa*%'
(with single quotes left!)

Couple of of proof links:

  • https://gitlab.com/gitlab-org/gitlab-ce/issues/45173#note_101659865



  • https://gitlab.com/gitlab-org/gitlab-ce/issues/27436



Workarounds:

1)
You can duplicate dollar ($) sign, i.e.: aaa$$bbb*%

(as mentioned on the first link above).

2)
Use base64 to encode and decode the value.

Do this first:

$ echo 'aaa$bbb*%' | base64
YWFhJGJiYiolCg==


Then store this value in project Variables.

And then in your script decode it:

PASS=$(echo ${sensitive_var} | base64 -D)

Code Snippets

$ echo 'aaa$bbb*%' | base64
YWFhJGJiYiolCg==
PASS=$(echo ${sensitive_var} | base64 -D)

Context

StackExchange DevOps Q#8627, answer score: 4

Revisions (0)

No revisions yet.