Using secret api keys on travis-ci
Solution 1
Travis has a feature to encrypt environment variables ("Encrypting environment variables"). This can be used to protect your secret API keys. I've successfully used this for my Heroku API key.
All you have to do is install the travis gem, encrypt the string you want and add the encrypted string in your .travis.yml
. The encryption is only valid for one repository. The travis
command gets your public key for your repo and can then decrypt the string during the build.
gem install --user travis
travis encrypt MY_SECRET_ENV=super_secret -r my_username/my_repo
This gives you the following output:
Please add the following to your .travis.yml file:
secure: "OrEeqU0z6GJdC6Sx/XI7AMiQ8NM9GwPpZkVDq6cBHcD6OlSppkSwm6JvopTR\newLDTdtbk/dxKurUzwTeRbplIEe9DiyVDCzEiJGfgfq7woh+GRo+q6+UIWLE\n3nowpI9AzXt7iBhoKhV9lJ1MROrnn4DnlKxAEUlHTDi4Wk8Ei/g="
Solution 2
according to this in travis ci documentation it's said that :
If you have both the Heroku and Travis CI command line clients installed, you can get your key, encrypt it and add it to your .travis.yml by running the following command from your project directory:
travis encrypt $(heroku auth:token) --add deploy.api_key
refer to the following tutorial to install heroku client according to your OS
Solution 3
You can also define secret variables in repository settings:
Variables defined in repository settings are the same for all builds, and when you restart an old build, it uses the latest values. These variables are not automatically available to forks.
Define variables in the Repository Settings that:
- differ per repository.
- contain sensitive data, such as third-party credentials.
To define variables in Repository Settings, make sure you’re logged in, navigate to the repository in question, choose “Settings” from the cog menu, and click on “Add new variable” in the “Environment Variables” section.
Comments
-
user94154 over 3 years
I'd like to use travis-ci for one of my projects.
The project is an API wrapper, so many of the tests rely on the use of secret API keys. To test locally, I just store them as environment variables. What's a safe way to use those keys on Travis?
-
BM5k almost 12 yearsWhat do you mean by "do it the same way"? I don't really like the idea of storing API keys in the repo itself (i.e. in the .travis.yml file), but there doesn't seem to be another way to configure environment variables on travis.
-
Prashant about 11 yearsThe env variable will get encrypted with a public key, so only the owner of the secret key can decrypt it. You should not use an important token. In my case I used the one which travis already had for GitHub. This worked quite well and from within github I can revoke that token whenever I feel travis be a risk. Having the encrypted token in my repo doesnt make me sleep bad. github.com/ecki/GCViewer/blob/topic-ciupload/.travis.yml
-
jerseyboy almost 11 yearsDon't forget to document what variables you are using, and why, because once encrypted them only someone with the original keys can recover them.
-
Thomas over 8 yearsWith the option
--add env.global
to thetravis
command, it will amend your .travis.yml automatically. -
lordlabakdas about 7 yearsWhat if I were using a config.py to store all my API keys and using ConfigParser() to parse them? Does this mean that I have to change my code to look for these unique values?
-
Odi about 7 years@lordlabakdas I don't know what you mean with "unique values", but if you would use a config.py to store all your API keys, then this file would be in your repository in order for Travis to access it. And it's generally a bad idea to store sensitive information like passwords or API keys in the repository. That's why there is this mechanism of encrypting environment variables.
-
mosaad almost 7 yearshow can i use these encrypted variables
-
Odi almost 7 years@mosaad you can use these values as normal environment variables (i.e. access them in your code), Travis decrypts them at the beginning of each build.
-
XedinUnknown over 6 yearsDidn't understand how to create secret variables. When googling that, results explain how to encrypt.
-
bmaupin about 6 years@XedinUnknown This can be used for secret variables. From the link: "By default, the value of these new environment variables is hidden from the export line in the logs. This corresponds to the behavior of encrypted variables in your .travis.yml. The variables are stored encrypted in our systems, and get decrypted when the build script is generated."
-
vapurrmaid about 6 yearsI just want to verify: the key it adds to your file is safe to upload to version control, right?
-
carlin.scott about 6 yearsAnyone with the ability to trigger your build can access these keys decrypted. For instance, you could use the "debug build" feature to ssh into the build machine and simply echo the "secure" environment variable.
-
Odi about 6 years@carlin.scott yes, but this is not true for pull requests from forks. And if someone has write access to a repository, you should trust them to have this information. But certainly a good point!
-
Ram Idavalapati over 5 years@Odi I am thinking this is safe for public git repos also (exposing encrypted keys). Is this true?
-
Odi over 5 years@RamIdavalapati: since the secrets are encrypted, this is considered safe, yes.
-
Ramesh-X over 4 yearsIf TravisCI was hacked, can that person obtain the
SECRET_ENV
? -
Odi over 4 years@Ramesh-X: yes since this encryption is for TravisCI. If someone has control over TravisCI, they could obtain SECRET_ENV
-
Michael Goerz over 4 yearsThe travis gem is very difficult to install (at least on MacOS). Is there a "manual" alternative?
-
Odi over 4 years@Michael Goerz: Yes, simply add the env variables via the Travis web interface