Leaked AWS access and secret key to gitlab-ca-cache, DB credentials to psql-timings01.gitlab.com

We received the following notice to security@gitlab.com:

Hi,

We’ve found that the following GitLab ee job discloses credentials:

https://gitlab.com/gitlab-org/gitlab-ee/-/jobs/20245620

"AWS_ACCESS_KEY_ID"=>"AKIAISASUVX4ADHTDLPA"
“AWS_SECRET_ACCESS_KEY"=>"[redacted]"
“RSPEC_PROFILING_POSTGRES_URL"=>"postgres://ci_stats:[redacted]@psql-timings01.gitlab.com:5432/ci_stats"

There are some other credentials that are leaked. The DB credentials work but don’t seem to belong to the superuser group and hence are not so useful for an attacker. The data does not seem to be super important either.

I am not sure what caused these keys to be exposed in this log, but there are also some keys that are redacted (XXXXX’s). Maybe some keys are being missed under certain scenarios?

The AWS access token listed allows all access to the arn:aws:s3:::gitlab-ce-cache/* bucket. I need to know if I can revoke that key immediately. The DB server is running on Digital Ocean and I'm unfamiliar with its purpose.

@mkozono @yorickpeterse @pcarranza @stanhu @rspeicher @marin