Concourse CI
ConcourseCI/CD4 credentials
Local Team User Password
concourse / local-user-password
Concourse web authentication can define local users and team membership for web UI, fly CLI, and API access.
Location
Concourse web UI, fly CLI, and ATC APIweb node flags, Helm values, docker-compose files, and team auth config
CONCOURSE_ADD_LOCAL_USER, CONCOURSE_MAIN_TEAM_LOCAL_USERBOSH vars, Kubernetes Secrets, CredHub, Vault, and SOPS files
deployment manifests and platform automation repos
web startup logs and auth traces
OAuth / OIDC Client Secret
concourse / oauth-client-secret
Concourse can authenticate teams through GitHub, OIDC, LDAP, and other providers using client secrets and bind credentials.
Location
Concourse web auth flags, Helm values, and BOSH manifests
CONCOURSE_GITHUB_CLIENT_SECRET, CONCOURSE_OIDC_CLIENT_SECRET, CONCOURSE_LDAP_BIND_PWCredHub, Vault, Kubernetes Secrets, and BOSH variable stores
platform deployment repositories
auth provider debug logs
TSA / Worker SSH Keys
concourse / tsa-worker-keys
Concourse workers authenticate to the web TSA using SSH key material. Leaked worker keys can affect worker registration and pipeline execution trust.
Looks like
pattern-----BEGIN (RSA |OPENSSH |EC |)PRIVATE KEY-----Location
TSA host key, authorized worker keys, worker private key files, and Helm/BOSH manifests
Kubernetes Secrets, BOSH variables, and Vault/CredHub entries
deployment backups and support bundles
Pipeline Credential Manager Secret
concourse / pipeline-credential
Concourse pipelines resolve secrets from Vault, CredHub, Kubernetes, SSM, or other credential managers; these values include deploy keys, cloud credentials, passwords, and tokens used by jobs.
Location
Vault, CredHub, Kubernetes Secrets, AWS SSM/Secrets Manager, and other configured credential managers
pipeline var files, vars, credential manager config, and task params
pipeline YAML, task files, and test fixtures
build logs when tasks print secrets or masking fails
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.