snippetbashMinor
How to pass Gitlab env var with sensitive characters to bash script?
Viewed 0 times
scriptvarsensitivepasswithgitlabhowcharactersenvbash
Problem
I have the following situation:
I'm storing sensitive data in Gitlab's environment and then passing these variables to a deployment script in bash.
Gitlab's env var:
Then in the
The deployment script parses the arguments as follows:
The problem is that when we check the output of the
Solutions tried so far:
But the result was the same:
Why is this happening, and how I can fix it?
I'm storing sensitive data in Gitlab's environment and then passing these variables to a deployment script in bash.
Gitlab's env var:
Key: sensitive_var
Value: aaa$bbb*%Then in the
.gitlab-ci.yml file the env vars are passed to the deployment script as follows:.deploy:
script:
- deploy.sh PASS=${sensitive_var}The deployment script parses the arguments as follows:
for arg; do
TEMP_VAR=$(echo ${arg} | sed -e 's?=? ?')
doneThe problem is that when we check the output of the
deploy.sh script the variable's value gets expanded resulting in aaa*%.Solutions tried so far:
- Storing the value in Gitlab's environment with single quotes
'but then the value was'aaa*%'.
- Passing the environment variable with double quotes:
.deploy:
script:
- deploy.sh PASS="${sensitive_var}".deploy:
script:
- deploy.sh PASS="$sensitive_var"But the result was the same:
aaa*%. - Combination of the above solutions didn't work either.
Why is this happening, and how I can fix it?
Solution
Surprisingly indeed GitLab works weirdly with the env vars.
It evaluates them internally, though it shouldn't in my view.
Value set as (in project Settings > CI/CD > Variables):
becomes
(with single quotes left!)
Couple of of proof links:
Workarounds:
1)
You can duplicate dollar ($) sign, i.e.:
(as mentioned on the first link above).
2)
Use base64 to encode and decode the value.
Do this first:
Then store this value in project Variables.
And then in your script decode it:
It evaluates them internally, though it shouldn't in my view.
Value set as (in project Settings > CI/CD > Variables):
'aaa$bbb*%'becomes
'aaa*%'(with single quotes left!)
Couple of of proof links:
- https://gitlab.com/gitlab-org/gitlab-ce/issues/45173#note_101659865
- https://gitlab.com/gitlab-org/gitlab-ce/issues/27436
Workarounds:
1)
You can duplicate dollar ($) sign, i.e.:
aaa$$bbb*%(as mentioned on the first link above).
2)
Use base64 to encode and decode the value.
Do this first:
$ echo 'aaa$bbb*%' | base64
YWFhJGJiYiolCg==Then store this value in project Variables.
And then in your script decode it:
PASS=$(echo ${sensitive_var} | base64 -D)Code Snippets
$ echo 'aaa$bbb*%' | base64
YWFhJGJiYiolCg==PASS=$(echo ${sensitive_var} | base64 -D)Context
StackExchange DevOps Q#8627, answer score: 4
Revisions (0)
No revisions yet.