Skip to content

Commit 03fd392

Browse files
ammarioammario
committed
improve english moar
1 parent 5eddfdd commit 03fd392

File tree

1 file changed

+12
-9
lines changed

1 file changed

+12
-9
lines changed

docs/secrets.md

Lines changed: 12 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -70,31 +70,36 @@ This article explains how to use secrets in a workspace. To authenticate the
7070
workspace provisioner, see <a href="./templates/authentication">this</a>.
7171
</blockquote>
7272

73-
Coder takes an unopinionated stance to workspace secrets.
73+
Coder is open-minded about how you get your secrets into your workspaces.
7474

7575
## Wait a minute...
7676

7777
Your first stab at secrets with Coder should be your local method.
7878
You can do everything you can locally and more with your Coder workspace, so
79-
whatever workflow and tools you already use to manage secrets can be brought
79+
whatever workflow and tools you already use to manage secrets may be brought
8080
over.
8181

8282
For most, this workflow is simply:
8383

8484
1. Give your users their secrets in advance
85-
1. They write them to a persistent file after
86-
they've built a workspace
85+
1. Your users write them to a persistent file after
86+
they've built their workspace
8787

8888
<a href="./templates#parameters">Template parameters</a> are a dangerous way to accept secrets.
8989
We show parameters in cleartext around the product. Assume anyone with view
9090
access to a workspace can also see its parameters.
9191

9292
## Dynamic Secrets
9393

94-
Dynamic secrets are attached to the workspace lifecycle and require no setup by
95-
the end user.
94+
Dynamic secrets are attached to the workspace lifecycle and automatically
95+
injected into the workspace. For a little bit of up front template work,
96+
they make life simpler for both the end user and the security team.
9697

97-
They can be implemented in your template code like so:
98+
This method is limited to
99+
[services with Terraform providers](https://registry.terraform.io/browse/providers),
100+
which excludes obscure API providers.
101+
102+
Dynamic secrets can be implemented in your template code like so:
98103

99104
```hcl
100105
resource "twilio_iam_api_key" "api_key" {
@@ -111,8 +116,6 @@ resource "coder_agent" "dev" {
111116
}
112117
```
113118

114-
This method is limited to [services with Terraform providers](https://registry.terraform.io/browse/providers).
115-
116119
A catch-all variation of this approach is dynamically provisioning a cloud service account (e.g [GCP](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_key#private_key))
117120
for each workspace and then making the relevant secrets available via the cloud's secret management
118121
system.

0 commit comments

Comments
 (0)