Skip to content

Instantly share code, notes, and snippets.

@alexkli

alexkli/circleci-vars.md

Last active March 26, 2025 15:59
Show Gist options
  • Save alexkli/e19f3af97ecac12689235adae20c5d4b to your computer and use it in GitHub Desktop.
Save alexkli/e19f3af97ecac12689235adae20c5d4b to your computer and use it in GitHub Desktop.
Download ZIP
How to safely export CircleCI environment variables
Raw
circleci-vars.md

How to safely export CircleCI environment variables

Steps with SSH

Connect to the job with ssh (use Rerun job with SSH) and then simply run env and copy&paste the vars.

Note: make sure you have a ssh key in your Github settings. If it's missing, CircleCI will silently fail to show the "Enable SSH" setting in the re-run.

Steps without SSH

Here are steps to retrieve the hidden project or context environment variables from CircleCI, without printing them in the CI job output itself, using symmetric encryption.

Only you (holder of the temporary symmetric key) will be able to see/decrypt the variables, and nobody who only has read access to the project in CircleCI.

Step 1 - create one-off symmetric key

Using openssl. 48 bytes still makes it fit on a single line, which simplifies the next step.

openssl rand -base64 48 > key.bin

Then go to the projects settings in CircleCI and add this as a new (temporary) env var:

  • name: MY_KEY
  • value: the string content from inside key.bin

Step 2 - change config.yml to do key export

On a new temporary branch (git checkout -b vars), change your .circleci/config.yml to include this job:

  vars:
    docker:
      - image: cimg/node:14.19
    steps:
      - run:
          name: get vars
          command: |
            echo $MY_KEY > key.bin
            env | sort > vars.txt
            openssl enc -aes-256-cbc -salt -in vars.txt -out vars.enc.txt -pass file:./key.bin -md sha512
            rm vars.txt key.bin
      - store_artifacts:
          path: vars.enc.txt

and add it to the workflow:

workflows:
  version: 2
  build:
    jobs:
      - vars

You could remove all other jobs from the workflow if you want, as we only want to export the vars in a one off CI job.

Step 3 - run the CircleCI job

Push the branch and create a PR to trigger the CI job (depending on how it's triggered in your setup).

Once finished, under "Artifacts" you should find the file vars.enc.txt which will be the encrypted file with all the environment variables.

Download this file locally into the same folder as your key.bin.

Step 4 - decrypt the file

Locally run this in the folder with the vars.enc.txt and key.bin files to decrypt the file:

openssl enc -d -aes-256-cbc -in vars.enc.txt  -out vars.txt -pass file:./key.bin -md sha512

Now you should be able to see the decrypted environment variables in vars.txt!

Step 5 - cleanup

Locally, remove the one-off key (don't use it for other stuff) and the encrypted file:

rm key.bin
rm vars.enc.txt

In CircleCI, go to the project/context settings > environment variables and delete MY_KEY.

In Github, close your PR (don't merge it) and delete the branch as needed.

Locally, remove the git branch:

git checkout main
git branch -d vars
@rashadatjou
Copy link

rashadatjou commented Mar 26, 2025
edited
Loading

@alexkli Thanks for this! It saved me an uncomfortable talk with my manager on how was able to lose an encryption key. Was able to recover it trough CircleCI and the method above. You rock!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment