Open
Description
Some users want their developers to be pre-authenticated with external providers (e.g. Artifactory) when they first create their workspace.
This may be to pull data in the startup script or avoid manual tokens/steps when a user enters their workspace.
Requirements
- Users can set key/value pairs in their account settings
- If a template requires these secrets to be set, disable account creation until it is set
- It is documented that these values should be hidden from startup script output (perhaps mounted as env vars or k8s secrets instead)
To explore
- Can/should we encrypt secrets in the database?
Potential enhancements
These should be considered in the design of these features
- Many users would prefer to fetch these values (using the user's OIDC token) from Hashicorp Vault or AWS Secrets engine instead of them being stored in the Coder database
- Secrets can be fetched or rotated via Terraform
- Specific templates should not be able to access user secrets
- Support generic parameters (non-secrets), but not user-wide (e.g. dotfiles URL)
Note
Coder already stores secrets on behalf of users which can be used in templates (OIDC access token, git auth token, SSH key) but arbitrary secrets cannot be defined by an admin.