Add "~" to supported characters for variable mask
Release notes
Securely managing secrets in variables is a must, and we only support certain characters. GitLab now supports '~' in the masking of CI/CD Variables to support secrets generated from other secrets provider platforms.
Problem to solve
Azure service principal secrets are generated by the Azure platform, and their character set includes ~
.
The mask functionality does not support the tilde character, so Azure service principal secrets cannot be masked in GitLab CI at the moment.
Intended users
Devon needs to be able to let GitLab CI access Azure resources.
Sidney configures Azure service principal authentication and puts the secrets in GitLab CI variables. The secrets often contain ~
as this is one of just a few "special characters" that Azure uses.
Sam will want to see authentication / authorization mechanisms be masked and protected from leaking to unauthorized folks.
User experience goal
The user should be able to use GitLab CI variable masking also for variables that store Azure service principal secrets.
Proposal
Follow the same process as for #37469 (closed).
Further details
- Allow secrets with
~
to be protected without extra effort - Allow any string with a tilde to be masked
Permissions and Security
Maintainer should be able to add them to the project CI Variables just like normal. No change to security model for this change.
Documentation
Availability & Testing
Testing would be similar to this merge request: !29022 (merged)
Available Tier
Free
What does success look like, and how can we measure that?
A maintainer can add a string with "~" in the Project or Group settings' CI Variables page as a masked variable. That string should then be masked if rendered in the CI job log.
What is the type of buyer?
Core since that's where the other masking functionality went.
Is this a cross-stage feature?
Links / references
GitLab FOSS #63043 and !31065: Support @ and : in variable masking
#37469 (closed) and !29022 (merged): Add "." to supported characters for variable mask
#250744: Prevent credential leakage by reducing masked variables restrictions