1

I have sensitive key information probably on several branches in multiple commits. I am stupid. When I was first learning about aws and setting it up with fog and carrierwave it hadn't even occured to me that my secret keys were being published to github every commit. Even after I tried to add the files to the gitignore. The problem is, how do I undo many many commits that publish this information and implement a gem like figaro to keep that info secret from github? I almost have to delete my repo...

dmberko11
  • 427
  • 7
  • 17
  • 2
    Maybe this can help you out? https://help.github.com/articles/removing-sensitive-data-from-a-repository/ – Stephan Schrijver Oct 25 '18 at 18:57
  • 2
    Possible duplicate of [Remove sensitive files and their commits from Git history](https://stackoverflow.com/questions/872565/remove-sensitive-files-and-their-commits-from-git-history) – Sean Pianka Oct 25 '18 at 19:02
  • 1
    In AWS, the term "keypair" relates to SSH, not to IAM User credentials (which are an access key and a secret key). You presumably are talking about the latter, not the former. Just rotate the credentials (deactivate the old set, create and start using a new set). – jarmod Oct 25 '18 at 19:35

1 Answers1

5

Don't touch your github repo. Simply connect to AWS, go to IAM->Users and find the username. Now, go to the 'Security Credentials' tab, and scroll down to 'Access Keys'. Click 'Create Access Key' button. Make a note of the new access key (but not on GitHub!) and replace the compromised keys with the new keys.

Once you're done, click 'Make Inactive' under 'Status' for the old keys. Once you've had new keys in place for a few days or a week, with no problems, simply delete the old keys.

You can leave the old keys in GitHub, as, once you click 'Make Inactive', they are useless anyways.

halfer
  • 19,824
  • 17
  • 99
  • 186
Mark J. Bobak
  • 13,720
  • 6
  • 39
  • 67
  • That's good advice. I went with a different solution and just went into github and deleted the application.yml which was generated by figaro to store the access keys in. For some reason I already had that file being tracked by github before it was automatically added into the gitignore by figaro. – dmberko11 Oct 25 '18 at 19:45
  • 1
    @dmberko11 Ya but you can go back in the repo and still find that file by viewing past pushes. I had credentials for a different service gotten this way. Make sure the old keys are deactivated, someone will get them if you don't. – Rockwell Rice Oct 25 '18 at 20:12
  • 1
    Yeah I rotated the keys. I read some medium article of a lady who had made the same mistake I did with exposing her credentials on github only she had $7k worth of charges on her AWS account. That's ridiculous – dmberko11 Oct 25 '18 at 22:32
  • 1
    @dmberko11 just an additional advice - when using aws credentials in an application / configuration, try to give it minimum required permisions (e. g. read/write from and to a specific bucket, queue, ..). Indeed there are scripts for harvesting cloud account credentials from public repositories.. – gusto2 Oct 26 '18 at 16:35