To securely manage application secrets for a CI/CD pipeline, what is the recommended practice?

The recommended practice for securely managing application secrets in a CI/CD pipeline is to encrypt secrets in Cloud Storage using Cloud KMS. This approach ensures that sensitive information is not stored in plaintext, significantly reducing the risk of exposure. Cloud KMS provides strong encryption capabilities, allowing you to manage encryption keys securely and use them to encrypt your secrets. By storing secrets in Cloud Storage, you can control access and apply IAM policies effectively, further enhancing security.

Using Cloud KMS allows for centralized key management, enabling you to manage access to your secrets via IAM roles, audit key usage, and comply with various security policies. The combination of encryption and secure storage makes this option robust against unauthorized access and potential leaks.

Storing secrets directly in configuration files or source code is highly discouraged due to the risk of accidental exposure through version control systems or file sharing. Prompting for secrets at build time without any form of storage does not provide a sustainable or secure solution, as it relies on human memory and can lead to inconsistencies and errors.