Stored securely in the GitLab server
Injected into jobs at runtime
Available in project-, group- and instance-level
Careful with protected variables
See chapter Variables
Many values are rejected by GitLab
Store base64-encoded values
Decode values before use:
job_name:
script:
- echo "$( echo "${MASKED_VAR}" | base64 -d )"
Careful! Original value will not be masked!
Prevent project maintainers/owners to read masked CI variables:
But masked values can always be leaked through a pipeline:
job_name:
script:
- echo "${MASKED_VAR}" | base64 -d