-1

I'm creating a ci/cd pipeline in AWS Codepipeline and for this, I created a lot of parameters in AWS SecretManager (github password, dockerhub password, and so on).

Well, this secrets are mine (from my personal account) and can't be shared with anyone, including the root account.

Is there a way to protect these secrets from root account? I would like to give access to read/write in these secrets only for my pipeline, but root account can change it if wants to.

userdevexp
  • 169
  • 2
  • 7
  • What do you mean with root account? Is that the root user of account? – Raul Barreto Aug 12 '20 at 16:13
  • Root Account of AWS, the "super user". – userdevexp Aug 12 '20 at 16:15
  • There is no way to restrict root (except on some very special occasions that has to do with audit/compliance). – Matus Dubrava Aug 12 '20 at 17:02
  • The only way to prevent someone else from learning your secrets is to not give them access to those secrets. At all. So if you need those secrets for a CodePipeline, then you should create that pipeline under an account that you also control. – Parsifal Aug 12 '20 at 17:27
  • 1
    That said, using your personal credentials for work is an incredibly bad idea. It opens you to possible liability that may extend beyond your employment, and is an operational risk to your employer. It's simple enough to create a new set of accounts that are specific to your current employer. I really recommend that you do so. – Parsifal Aug 12 '20 at 17:30
  • Thanks for your answers. – userdevexp Aug 12 '20 at 17:37

1 Answers1

1

It's not possible to restrict the access of the root user to a service unless the account itself doesn't have access to the service. This can be done with AWS Organizations SCP.

Raul Barreto
  • 979
  • 5
  • 9