Do not mount secrets as environment variables
olevski opened this issue · 0 comments
olevski commented
Feedback from the security engineers at BIT.
It is better to mount secrets as volumes because sometimes logs dump all environment variables, so it is more risky that secrets will leak to logs if mounted as environment vars.
This requires two steps:
- see which services do this
- propose and quickly test a solution and open a new issue (if required)
It could be that mounting secrets as volumes also prevents a service from properly restarting and using the new values if the secret changes. Not sure exactly if mounting secrets as environment variables helps in this case too tbh.