|
| 1 | +<<<<<<< HEAD |
1 | 2 | # Secrets |
2 | 3 |
|
3 | 4 | <blockquote class="info"> |
@@ -60,3 +61,65 @@ system. |
60 | 61 | Coder automatically inserts an account-wide SSH key into each workspace. In MacOS |
61 | 62 | and Linux this key is at `~/.ssh/id_ecdsa`. You can view and |
62 | 63 | regenerate the key in the dashboard at Settings > SSH keys. |
| 64 | +||||||| parent of f25c612a... docs: add secrets |
| 65 | +======= |
| 66 | +# Secrets |
| 67 | + |
| 68 | +<blockquote class="info"> |
| 69 | +This article explains how to use secrets in a workspace. To authenticate the |
| 70 | +workspace provisioner, see <a href="./templates/authentication">this</a>. |
| 71 | +</blockquote> |
| 72 | + |
| 73 | +Coder takes an unopinionated stance to workspace secrets. |
| 74 | + |
| 75 | +## Wait a minute... |
| 76 | + |
| 77 | +Your first stab at secrets with Coder should be your local method. |
| 78 | +You can do everything you can locally and more with your Coder workspace, so |
| 79 | +whatever workflow and tools you already use to manage secrets can be brought |
| 80 | +over. |
| 81 | + |
| 82 | +For most, this workflow is simply: |
| 83 | + |
| 84 | +1. Give your users their secrets in advance |
| 85 | +1. They write them to a persistent file after |
| 86 | + they've built a workspace |
| 87 | + |
| 88 | +<a href="./templates#parameters">Template parameters</a> are a dangerous way to accept secrets. |
| 89 | +We show parameters in cleartext around the product. Assume anyone with view |
| 90 | +access to your workspace can also see parameters. |
| 91 | + |
| 92 | +## Dynamic Secrets |
| 93 | + |
| 94 | +Dynamic secrets are attached to the workspace lifecycle and require no setup by |
| 95 | +the end user. |
| 96 | + |
| 97 | +They can be implemented in native Terraform like so: |
| 98 | + |
| 99 | +```hcl |
| 100 | +resource "twilio_iam_api_key" "api_key" { |
| 101 | + account_sid = "ACXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" |
| 102 | + friendly_name = "Test API Key" |
| 103 | +} |
| 104 | +
|
| 105 | +resource "coder_agent" "dev" { |
| 106 | + # ... |
| 107 | + env = { |
| 108 | + # Let users access the secret via #TWILIO_API_SECRET |
| 109 | + TWILIO_API_SECRET = "${twilio_iam_api_key.api_key.secret}" |
| 110 | + } |
| 111 | +} |
| 112 | +``` |
| 113 | + |
| 114 | +This method is limited to [services with Terraform providers](https://registry.terraform.io/browse/providers). |
| 115 | + |
| 116 | +A catch-all variation of this approach is dynamically provisioning a cloud service account (e.g [GCP](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_key#private_key)) |
| 117 | +for each workspace and then make the relevant secrets available via the cloud's secret management |
| 118 | +system. |
| 119 | + |
| 120 | +## Coder SSH Key |
| 121 | + |
| 122 | +Coder automatically inserts an account-wide SSH key into each workspace. In MacOS |
| 123 | +and Linux this key is at `~/.ssh/id_ecdsa`. You can view and |
| 124 | +regenerate the key in the dashboard at Settings > SSH keys. |
| 125 | +>>>>>>> f25c612a... docs: add secrets |
0 commit comments