[!NOTE] Container breakouts and other misconfigurations aside secret management are out-of-scope of this post.
root@container # cat .env
export AWSJWT="eY..."
Containers: threat model
- external attacker
- authenticated access to an application (for some cases)
- RCE in a docker container
- access to a single server
- access to a developer’s workstation
Secrets in files
the most common secret management issue
COPY --chown=container /home/user /home/container
container@1cd133db52a0:/$ cd
container@1cd133db52a0:~$ ls .ssh/
id_rsa id_rsa.pub known_hosts
Secrets in files: COPY and ADD from developer workstations
- build scripts
gitsecrets- curl commands
- credential caches
envfiles
Secrets in files: .xyz_history
bash,zsh,fish,sh, and other shells.mysql_histfile,psqlhistory files, and other dbs- command-line editor or IDE caches
- can be carried over when creating a container
Secrets in files: simple demo
Secrets in files: other source examples
- SSH keys
- local account passwords
- local service secrets
Secrets in environment variables
[!NOTE] Note that environment variables can be easily leaked by the application itself, not requiring any access to the container.
ENV AWSTOKEN=$secretToken
$ export AUTHT="1122334455667788"
secrets in env: common cases
- API keys (
curl -H "Authentication: $KEY" ...) - AWS/Azure/GCP access tokens
- build environment secrets
- even passwords (sometimes)
secrets in env: process environments
- not only
envin bash
find /proc -name environ -exec xargs -0 -L1 -a {} \\; 2>/dev/null | sort --uniq
