1- <<<<<<< HEAD
21# Secrets
32
43<blockquote class =" info " >
@@ -15,7 +14,7 @@ You can do everything you can locally and more with your Coder workspace, so
1514whatever workflow and tools you already use to manage secrets may be brought
1615over.
1716
18- For most , this workflow is simply:
17+ Often , this workflow is simply:
1918
20191 . Give your users their secrets in advance
21201 . Your users write them to a persistent file after
@@ -28,7 +27,7 @@ access to a workspace can also see its parameters.
2827## Dynamic Secrets
2928
3029Dynamic secrets are attached to the workspace lifecycle and automatically
31- injected into the workspace. For a little bit of up front template work,
30+ injected into the workspace. With a little bit of up front template work,
3231they make life simpler for both the end user and the security team.
3332
3433This method is limited to
@@ -61,68 +60,3 @@ system.
6160Coder automatically inserts an account-wide SSH key into each workspace. In MacOS
6261and Linux this key is at ` ~/.ssh/id_ecdsa ` . You can view and
6362regenerate the key in the dashboard at Settings > SSH keys.
64- ||||||| parent of f25c612a... docs: add secrets
65- =======
66- # Secrets
67-
68- <blockquote class =" info " >
69- This article explains how to use secrets in a workspace. To authenticate the
70- workspace provisioner, see <a href =" ./templates/authentication " >this</a >.
71- </blockquote >
72-
73- Coder is open-minded about how you get your secrets into your workspaces.
74-
75- ## Wait a minute...
76-
77- Your first stab at secrets with Coder should be your local method.
78- You can do everything you can locally and more with your Coder workspace, so
79- whatever workflow and tools you already use to manage secrets may be brought
80- over.
81-
82- For most, this workflow is simply:
83-
84- 1 . Give your users their secrets in advance
85- 1 . Your users write them to a persistent file after
86- they've built their workspace
87-
88- <a href =" ./templates#parameters " >Template parameters</a > are a dangerous way to accept secrets.
89- We show parameters in cleartext around the product. Assume anyone with view
90- access to a workspace can also see its parameters.
91-
92- ## Dynamic Secrets
93-
94- Dynamic secrets are attached to the workspace lifecycle and automatically
95- injected into the workspace. For a little bit of up front template work,
96- they make life simpler for both the end user and the security team.
97-
98- This method is limited to
99- [ services with Terraform providers] ( https://registry.terraform.io/browse/providers ) ,
100- which excludes obscure API providers.
101-
102- Dynamic secrets can be implemented in your template code like so:
103-
104- ``` hcl
105- resource "twilio_iam_api_key" "api_key" {
106- account_sid = "ACXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
107- friendly_name = "Test API Key"
108- }
109-
110- resource "coder_agent" "dev" {
111- # ...
112- env = {
113- # Let users access the secret via $TWILIO_API_SECRET
114- TWILIO_API_SECRET = "${twilio_iam_api_key.api_key.secret}"
115- }
116- }
117- ```
118-
119- A catch-all variation of this approach is dynamically provisioning a cloud service account (e.g [ GCP] ( https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_key#private_key ) )
120- for each workspace and then making the relevant secrets available via the cloud's secret management
121- system.
122-
123- ## Coder SSH Key
124-
125- Coder automatically inserts an account-wide SSH key into each workspace. In MacOS
126- and Linux this key is at ` ~/.ssh/id_ecdsa ` . You can view and
127- regenerate the key in the dashboard at Settings > SSH keys.
128- >>>>>>> f25c612a... docs: add secrets
0 commit comments