GitLab variables are not really private, are they?

Question

I am an experienced CI&CD engineer coming from a Configuration Management expertise in processes, methods and tools. However, I am not so experienced in using GitLab CI/CD for automation. I have plenty experience using Jenkins though, and I find myself a bit confused as there really does not seem to be truly user-private variables for GitLab pipeline setups

Am I right? All the variables I can manage to see, as administrator, are visible to all other administrators. Therefore I am quite reluctant to execute a solution such as proposed in https://gitlab.com/gitlab-examples/ssh-private-key/-/blob/master/.gitlab-ci.yml

Am I missing something, or will not the SSH_PRIVATE_KEY be accessible to all administrators in our setup?

Masking only goes as far as to block visibility in logs, which is fine and all, but I do not want anyone to be able to access the variable content unless thet login with the given account for which a private ssh-key is used. Hardly the visibility I want to ensure for an account that has ssh-access to ALL environment hosts from dev and test to QA and PROD... :7

Answer 1

Your assessments are correct: users with sufficient access (especially administrators) can reveal the values of variables set in CI/CD settings.

To meet your requirements and for more advanced control of secret access, consider using the Vault integration with user-based claim boundaries. Or, similarly, you can use OpenID connect claims to connect to cloud providers that can in turn be used to retrieve secrets stored with your cloud provider (e.g. AWS Secrets Manager)