Authentication overview

Codeship provides a continuous integration and continuous delivery (CI/CD) platform designed for automating software development workflows. Authentication within Codeship serves two primary purposes: securing user access to the platform and enabling secure communication between Codeship's build environment and external services, such as Git repositories, deployment targets, and third-party APIs.

User authentication to the Codeship web interface is typically handled through OAuth integration with supported Git providers like GitHub or Bitbucket. This approach leverages the established security mechanisms of these providers for user identity verification. Once authenticated, users can manage projects, configure CI/CD pipelines, and define deployment strategies.

For programmatic access and to allow Codeship projects to interact with external resources, the platform uses a combination of SSH keys and API tokens. SSH keys are fundamental for securely cloning private Git repositories and connecting to remote servers for deployment. API tokens provide a mechanism for scripts or external applications to interact with the Codeship API, enabling automation of administrative tasks or integration with other development tools. Codeship also supports the secure management of sensitive data, such as database credentials or API keys, through encrypted environment variables, ensuring that these are not exposed directly in build scripts or version control.

Supported authentication methods

Codeship supports several authentication methods, each tailored for specific use cases within the CI/CD workflow. These methods ensure secure access to the platform itself, as well as to external services and repositories that your projects interact with.

User Authentication to Codeship

  • OAuth with Git Providers: Users authenticate to the Codeship web application by linking their GitHub or Bitbucket accounts. This method delegates user authentication and authorization to the chosen Git provider, simplifying login and leveraging existing identity management systems. This is the primary way users access the Codeship dashboard and manage their projects. Codeship's official documentation details the process of connecting a Git repository.

Project and Service Authentication

  • SSH Keys: SSH (Secure Shell) keys are primarily used for secure communication with Git repositories (e.g., cloning private repositories) and remote servers for deployment. Codeship allows users to generate SSH key pairs within the platform or upload existing ones. The public key is then added to the Git repository or deployment target, while the private key remains secured within Codeship's environment. The use of SSH keys is a standard practice for secure remote access, as outlined by the IETF Secure Shell Protocol Architecture documentation.
  • API Tokens: Codeship provides API tokens for programmatic interaction with its platform via the Codeship API. These tokens grant access to specific functionalities, such as triggering builds, fetching build status, or managing projects. API tokens are suitable for integrating Codeship with custom scripts, monitoring tools, or other development platforms. They should be treated as sensitive credentials and managed securely. You can find more information about using the Codeship API in the Codeship API documentation.
  • Encrypted Environment Variables: While not a direct authentication method for Codeship itself, encrypted environment variables are critical for securely storing credentials (like API keys, database passwords, or third-party service tokens) that your build or deployment scripts need during execution. Codeship encrypts these variables at rest and injects them into the build environment at runtime, preventing them from being exposed in plain text within your repository or build logs. This method is crucial for maintaining the confidentiality of sensitive data during CI/CD processes, a principle also emphasized in general security guidance like Google Cloud's security best practices for cloud environments.

Below is a table summarizing the supported authentication methods:

Method When to Use Security Level
OAuth with Git Provider User login to Codeship web interface High (delegated to Git provider)
SSH Keys Accessing private Git repositories, deploying to remote servers High (public-key cryptography)
API Tokens Programmatic interaction with Codeship API Moderate to High (depends on token scope and management)
Encrypted Environment Variables Storing sensitive credentials for build/deployment scripts High (encrypted at rest, injected at runtime)

Getting your credentials

Obtaining and configuring credentials for Codeship involves different steps depending on the authentication method you intend to use. Codeship provides integrated tools and clear documentation to guide you through this process.

For User Login (OAuth with Git Providers)

  1. Connect your Git Account: When you first sign up or log in to Codeship, you will be prompted to connect your GitHub or Bitbucket account. This authorizes Codeship to access your repositories (read-only for listing, read/write for webhooks and build status updates).
  2. Grant Permissions: Review and grant the necessary permissions requested by Codeship through your Git provider's OAuth flow. These permissions are typically limited to repository access for CI/CD purposes.

For SSH Keys

  1. Generate SSH Key Pair within Codeship: For each project, navigate to the Project Settings in Codeship. Under the 'General' or 'SSH Keys' section, you can generate a new SSH key pair. Codeship will provide you with the public key.
  2. Add Public Key to Git Provider or Server: Copy the generated public key and add it to your Git repository's deploy keys (e.g., in GitHub's repository settings under 'Deploy keys' or Bitbucket's 'Access keys'). For server deployments, add the public key to the ~/.ssh/authorized_keys file on your target server. Refer to the Codeship SSH keys documentation for detailed instructions.
  3. Upload Existing SSH Key (Optional): If you have an existing SSH key pair you wish to use, you can upload the private key to Codeship (ensuring it's properly encrypted) and then add the corresponding public key to your Git provider or server.

For API Tokens

  1. Generate API Token: In your Codeship user profile or organization settings, look for an 'API' or 'Tokens' section. You can generate a new API token there. During generation, you might be able to define the scope or permissions associated with the token.
  2. Securely Store Token: Once generated, the API token will be displayed. It is crucial to copy this token immediately and store it securely, as it typically won't be displayed again for security reasons. Treat API tokens like passwords.
  3. Use in Requests: Include the API token in the headers of your HTTP requests to the Codeship API, usually as an Authorization: Bearer <YOUR_API_TOKEN> header. The Codeship API reference provides examples of how to use these tokens.

For Encrypted Environment Variables

  1. Navigate to Project Settings: In your Codeship project settings, go to the 'Environment' or 'Variables' section.
  2. Add New Environment Variable: Provide a name for your variable (e.g., DB_PASSWORD) and its corresponding sensitive value.
  3. Mark as Encrypted: Codeship will offer an option to encrypt the variable. Ensure this option is selected. Codeship handles the encryption and decryption process automatically, making the variable available to your build scripts at runtime without exposing its raw value. This process is detailed in the Codeship environment variables guide.

Authenticated request example

While direct authenticated requests to Codeship usually involve the API for administrative tasks, a common scenario is Codeship making an authenticated request to an external service during a build or deployment.

Example: Deploying to an AWS S3 Bucket using Encrypted Environment Variables

This example demonstrates how Codeship authenticates with AWS S3 using credentials stored as encrypted environment variables during a deployment pipeline. The build script leverages these variables to securely upload build artifacts.

Codeship Project Setup:

In your Codeship project settings, under Environment Variables, you would set up:

  • AWS_ACCESS_KEY_ID: Your AWS access key ID (encrypted)
  • AWS_SECRET_ACCESS_KEY: Your AWS secret access key (encrypted)
  • S3_BUCKET_NAME: The name of your S3 bucket (can be unencrypted if not sensitive)

Codeship Build Step (codeship-steps.yml for Codeship Pro or a custom script in Basic):

- name: Deploy to S3
  service: app
  command: |
    pip install awscli
    aws s3 sync ./build s3://${S3_BUCKET_NAME}/ --delete --region us-east-1

Explanation:

  • The pip install awscli command ensures the AWS CLI tool is available in the build environment.
  • The aws s3 sync command is executed. The AWS CLI automatically discovers the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables and uses them for authentication with AWS. This is a standard behavior of the AWS Command Line Interface.
  • The S3_BUCKET_NAME variable is directly used in the command line to specify the deployment target.
  • Codeship ensures that AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are securely injected into the build environment, making them accessible to the AWS CLI without exposing their values in logs or configuration files.

This illustrates how Codeship facilitates secure authenticated interactions with external services using its built-in credential management features.

Security best practices

Implementing strong security practices for Codeship authentication is crucial to protect your CI/CD pipelines, source code, and deployment targets. Adhering to these guidelines helps mitigate risks such as unauthorized access, data breaches, and compromised deployments.

  • Use Strong, Unique Passwords for Git Providers: Since Codeship user authentication relies on your Git provider (GitHub, Bitbucket), ensure you use strong, unique passwords for these accounts. Enable multi-factor authentication (MFA) on your Git provider accounts to add an extra layer of security. This is a fundamental security practice for any online service, as recommended by security organizations like the FIDO Alliance for strong authentication standards.
  • Enable Multi-Factor Authentication (MFA) on Git Providers: Always enable MFA for your GitHub or Bitbucket accounts. This significantly reduces the risk of unauthorized access even if your password is compromised.
  • Rotate SSH Keys Regularly: Periodically generate new SSH keys for your projects and revoke old ones. While there isn't a universally mandated rotation frequency, a common practice is annually or biannually, or immediately if a key is suspected of compromise. Codeship's interface allows for easy key generation and management.
  • Limit SSH Key Scope: When adding SSH public keys to Git repositories or deployment servers, grant only the necessary permissions. For example, use 'deploy keys' in GitHub with read-only access for cloning, and only grant write access where absolutely required for deployments.
  • Treat API Tokens as Sensitive Data: API tokens provide programmatic access to your Codeship account. Store them securely, never hardcode them directly into scripts or commit them to version control. Pass them as environment variables or use a secure secrets management solution.
  • Restrict API Token Permissions: If Codeship's API token generation allows for scope or permission definition, always generate tokens with the least privilege necessary for their intended function. Avoid using tokens with broad administrative access for routine automation tasks.
  • Utilize Encrypted Environment Variables for All Secrets: Never store sensitive information (API keys, database credentials, third-party service tokens) in plain text within your repository. Always use Codeship's encrypted environment variables feature for these secrets. This ensures they are encrypted at rest and only decrypted and exposed within the secure build environment.
  • Audit Access Logs: Regularly review Codeship's audit logs (if available for your plan) and your Git provider's security logs to detect any suspicious activity or unauthorized access attempts. This proactive monitoring can help identify and respond to security incidents promptly.
  • Segment Secrets by Project: Avoid reusing the same credentials across multiple Codeship projects. If one project is compromised, only the secrets associated with that project are at risk. Use separate SSH keys and encrypted environment variables for distinct projects where possible.
  • Keep Dependencies Updated: Ensure that any tools or libraries used in your build process for authentication (e.g., AWS CLI, Docker client) are kept up to date to benefit from the latest security patches and vulnerability fixes. Codeship Pro's Docker-based approach gives you direct control over your build environment's dependencies.