Are secret passing in transit between the drone-amazon-plugin and the drone runner are being encrytped by the given token, or some other way ?
Yes! the secret passed are encrypted with the token provided, refer https://docs.drone.io/secret/encrypted/
I just wanted to follow up and provide more detail. When you use a secret extension, secrets are encrypted in-transit using aesgcm. This ensures payloads are encrypted even if you do not have https setup. You can audit the relevant code here:
Thanks, for the response, where can I see the runner code that send the “aesgcm” header ?
After some investigation, our drone runner is not sending “aesgcm” as Accept-Encoding header, its sending “identity”, so our secrets are not encrypted by the drone amazon-secret-plugin.
What configuration should we change in the runner/drone-server for it to use “aesgcm” ?
Is there a way to make sure drone runner <-> amazon secrets plugin encrypt secrets at transit ?