|
1 | | -<<<<<<< HEAD |
2 | 1 | # Secrets |
3 | 2 |
|
4 | 3 | <blockquote class="info"> |
@@ -61,68 +60,3 @@ system. |
61 | 60 | Coder automatically inserts an account-wide SSH key into each workspace. In MacOS |
62 | 61 | and Linux this key is at `~/.ssh/id_ecdsa`. You can view and |
63 | 62 | regenerate the key in the dashboard at Settings > SSH keys. |
64 | | -||||||| parent of f25c612a... docs: add secrets |
65 | | -======= |
66 | | -# Secrets |
67 | | - |
68 | | -<blockquote class="info"> |
69 | | -This article explains how to use secrets in a workspace. To authenticate the |
70 | | -workspace provisioner, see <a href="./templates/authentication">this</a>. |
71 | | -</blockquote> |
72 | | - |
73 | | -Coder is open-minded about how you get your secrets into your workspaces. |
74 | | - |
75 | | -## Wait a minute... |
76 | | - |
77 | | -Your first stab at secrets with Coder should be your local method. |
78 | | -You can do everything you can locally and more with your Coder workspace, so |
79 | | -whatever workflow and tools you already use to manage secrets may be brought |
80 | | -over. |
81 | | - |
82 | | -For most, this workflow is simply: |
83 | | - |
84 | | -1. Give your users their secrets in advance |
85 | | -1. Your users write them to a persistent file after |
86 | | - they've built their workspace |
87 | | - |
88 | | -<a href="./templates#parameters">Template parameters</a> are a dangerous way to accept secrets. |
89 | | -We show parameters in cleartext around the product. Assume anyone with view |
90 | | -access to a workspace can also see its parameters. |
91 | | - |
92 | | -## Dynamic Secrets |
93 | | - |
94 | | -Dynamic secrets are attached to the workspace lifecycle and automatically |
95 | | -injected into the workspace. For a little bit of up front template work, |
96 | | -they make life simpler for both the end user and the security team. |
97 | | - |
98 | | -This method is limited to |
99 | | -[services with Terraform providers](https://registry.terraform.io/browse/providers), |
100 | | -which excludes obscure API providers. |
101 | | - |
102 | | -Dynamic secrets can be implemented in your template code like so: |
103 | | - |
104 | | -```hcl |
105 | | -resource "twilio_iam_api_key" "api_key" { |
106 | | - account_sid = "ACXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" |
107 | | - friendly_name = "Test API Key" |
108 | | -} |
109 | | -
|
110 | | -resource "coder_agent" "dev" { |
111 | | - # ... |
112 | | - env = { |
113 | | - # Let users access the secret via $TWILIO_API_SECRET |
114 | | - TWILIO_API_SECRET = "${twilio_iam_api_key.api_key.secret}" |
115 | | - } |
116 | | -} |
117 | | -``` |
118 | | - |
119 | | -A catch-all variation of this approach is dynamically provisioning a cloud service account (e.g [GCP](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_key#private_key)) |
120 | | -for each workspace and then making the relevant secrets available via the cloud's secret management |
121 | | -system. |
122 | | - |
123 | | -## Coder SSH Key |
124 | | - |
125 | | -Coder automatically inserts an account-wide SSH key into each workspace. In MacOS |
126 | | -and Linux this key is at `~/.ssh/id_ecdsa`. You can view and |
127 | | -regenerate the key in the dashboard at Settings > SSH keys. |
128 | | ->>>>>>> f25c612a... docs: add secrets |
0 commit comments