Accessing secrets in the workflow definition #866
Comments
You are right, it should be more explicit. Maybe by adding a
The exact same, excellent question, came up during the DSL refactor. If we allow the user to access them using runtime expressions - which can be used everywhere - we basically enable her to bleed secrets. If we still choose to proceed that way, we can choose to not care about what the user do with secrets, as long as we warned her about potential leaks of sensitive information. Otherwise, we can choose to redact secret values in specific cases, like GitHub does, for example. I'm not a fan of that solution, because it's tedious to implement, and we'd have to define all the cases where secrets should be redacted, and the cases where they should not. We could also, like for |
cdavernas
added
change: documentation
cdavernas
changed the title
|
I support adding $secret to the spec. |
matthias-pichler
changed the title
|
In the context of the PR addressing #904, and in order to have a working basic state to fix, hone and improve, I propose that: Replace the actual secret referencing way: use:
secrets:
- basic-auth-secret.json
authentications:
basic: basic-auth-secret.json... which is ugly and sacrifies meaningfullness for the sake of brievety, therefore complexifying the schema with yet another use:
secrets:
- basic-auth-secret.json
authentications:
basic:
use: basic-auth-secret.jsonWhich is more consistent regarding typing, avoids oneOf and is more fluent and ubiquitous. |
|
I think that would be a great first step and can be included in the PR for #904 After that we can talk about the other points |
|
@matthias-pichler-warrify After our small talk on the subject, I had time to think and play around with your suggestions.
As made obvious thanks to your observations, we need to add a new Aside from runtime expressions, I think that referencing by secrets by name should be restricted to authorization only, which is really both for user convenience and code brievety (based on experience with previous DSL versions) use:
secrets:
sampleApi:
from: sample.api.json
sampleBasic:
from: basic.auth.json
authorizations:
basic:
use: sampleBasic
do:
- getProfile:
call: http
with:
endpoint: ${ "https://auth.services.sample.com?apiKey=\($secrets.sampleApi.key)" } |
Hmm yeah that might make sense. Ideally implementers would track that reference through the But that would also mean that your example is incorrect right? You'd need: use:
secrets:
sampleApi:
from: sample.api.json
sampleBasic:
from: basic.auth.json
authorizations:
basic:
use: sampleBasic
do:
- getProfile:
input:
from: '. + {"apiKey": $secrets.sampleApi.key }'
call: http
with:
endpoint: ${ "https://auth.services.sample.com?apiKey=\(.apiKey)" }
that also sounds good to me |
Indeed, sorry about that! |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
@matthias-pichler Should we close this issue in favor of #979, or inversly? |
Current Spec
The current spec defines the following:
/use/secretssecrets can be only referenced in authentication policies. (This I couldn't find in the spec but was told by @cdavernas )
secrets can contain arbitrary values (e.g. objects)
Some points that in my eyes cause a bit of friction:
Secrets are only available in authentication policies
This was new to me and I don't see it documented anywhere. While I agree that this reduces risk of leakage I don't think it's the best call given that some APIs out there are just weird. (If memory serves right the log intake API of Datadog allows an API key in the query). Currently it's not possible to access secrets in the
endpoint/uriproperty.I propose to allow referencing secrets anywhere.
Secrets can contain arbitrary values
Here the secret
basic.jsonreplaces an object that containsusernameandpassword. If we were to allow secrets everywhere this could cause two problems:In this I as the reader do not know if the secret is a string just containing the uri, an object of the form
{"uri": "..."}or if it contains aauthenticationpolicy as well. I think this hides a lot of structure from the readeroneOf: [ActualType, string]If secrets could be referenced everywhere, everything would need to be defined as a string as well. This would produce an ugly and incomprehensible sche,a and also cause a lot of pain for implementers (think OO types of objects or strings).
I propose to limiting secrets to string or primitive values
Referencing secrets
Currently secrets are simply referenced by name: this makes the use of secrets ambiguous. (they become hard to distinguish from a string literal). It also causes cascading effects that might be surprising for example if I start with
and then delete (or fat-finger) the secret
It would still run and the runtime could not really help me with "Secret not found" because it has to assume that "passwordSecret" is now a string literal.
I therefore propose a more structured way to reference secrets
I see two possibilities here and we might end up using both.
refObjectIn line with #904 I would also suggest using an object to reference secrets
as with the linked issue the wording around
useis up for discussion (e.g.use,ref, etc...)$secretsargument in runtime expressionsVersion 0.9 of the spec had the
$SECRETSnamespace. I would suggest specifying a$secretsargument for runtime expressions. It might me necessary to refer to some secrets in runtime expressions. For example some APIs use non standard authentication or headers.The text was updated successfully, but these errors were encountered: