Database credentials are some of the most sensitive secrets in any organization. A leaked database password can lead to data breaches, compliance violations, and significant financial damage. Yet teams still share them insecurely every day, especially during CI/CD pipeline setup.
Why Database Credentials Leak
Hardcoded in Code
Developers sometimes hardcode database connection strings directly in application code, Docker Compose files, or configuration files that get committed to version control. Automated bots scan public repositories for exactly these patterns.
Pasted in Slack/Confluence
When setting up a new CI/CD pipeline or onboarding a team member, database credentials often end up pasted in Slack channels, Confluence pages, or shared documents. These persist indefinitely and are searchable.
CI/CD Secrets Management Options
GitHub Actions Secrets
GitHub Actions provides encrypted secrets that can be used in workflow files. Secrets are stored encrypted and masked in logs. This is the recommended approach for GitHub-based CI/CD.
AWS SSM / Secrets Manager
For AWS-based infrastructure, AWS Systems Manager Parameter Store and AWS Secrets Manager provide secure, centralized secret storage. Secrets can be fetched at runtime, rotated automatically, and access-controlled via IAM.
One-Time Links for Initial Setup
When setting up a new pipeline, someone needs to enter the initial credentials. Rather than pasting them in a message, create a self-destructing link with the database connection string. The person setting up CI/CD opens the link, copies the value, enters it as a secret, and the link self-destructs.
When One-Time Links Fill the Gap
Secrets managers are essential for production systems, but there are situations where a quick, secure one-time transfer is the practical solution: initial CI/CD setup before a secrets manager is configured, sharing staging database credentials with a contractor, transferring credentials between teams that use different cloud providers, or emergency access during incident response.
Step-by-Step with PassLink
- 1Copy the database connection string or credentials you need to share
- 2Go to PassLink and paste them into the encrypted form
- 3Set expiration to 1 hour and enable password protection
- 4Send the link to the person configuring the pipeline
- 5They open it, copy the credentials into the CI/CD secret store, and the link is destroyed
Best Practices Summary
- ✓ Never commit database credentials to version control
- ✓ Use your CI/CD platform's built-in secrets management for production
- ✓ Use one-time links for initial credential exchange during setup
- ✓ Rotate database passwords after sharing them for setup
- ✓ Audit who has access to database credentials regularly
- ✓ Use separate credentials for development, staging, and production