Skip to content

docs: add secrets #3057

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 20, 2022
Merged

docs: add secrets #3057

merged 3 commits into from
Jul 20, 2022

Conversation

ammario
Copy link
Member

@ammario ammario commented Jul 20, 2022

No description provided.

@ammario ammario requested a review from Kira-Pilot July 20, 2022 05:57
@ammario ammario linked an issue Jul 20, 2022 that may be closed by this pull request
docs: explain how to inject secrets into the workspace #3047
Closed
@ammario ammario enabled auto-merge (squash) July 20, 2022 06:15
Kira-Pilot
Kira-Pilot reviewed Jul 20, 2022
View reviewed changes
docs/secrets.md
## Dynamic Secrets

Dynamic secrets are attached to the workspace lifecycle and automatically
injected into the workspace. For a little bit of up front template work,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
injected into the workspace. For a little bit of up front template work,
injected into the workspace. With a little bit of upfront template work,

bpmct
bpmct approved these changes Jul 20, 2022
View reviewed changes
docs/secrets.md

<blockquote class="info">
This article explains how to use secrets in a workspace. To authenticate the
workspace provisioner, see <a href="./templates/authentication">this</a>.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
workspace provisioner, see <a href="./templates/authentication">this</a>.
workspace provisioner, see <a href="./templates/authentication">Provider Authentication</a>.

docs/secrets.md
whatever workflow and tools you already use to manage secrets may be brought
over.

For most, this workflow is simply:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
For most, this workflow is simply:
Often times, this workflow is simply:

docs/secrets.md
Comment on lines +23 to +25
<a href="./templates#parameters">Template parameters</a> are a dangerous way to accept secrets.
We show parameters in cleartext around the product. Assume anyone with view
access to a workspace can also see its parameters.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<a href="./templates#parameters">Template parameters</a> are a dangerous way to accept secrets.
We show parameters in cleartext around the product. Assume anyone with view
access to a workspace can also see its parameters.
For most cases, we do not recommend using <a href="./templates#parameters">template parameters</a> to accept workspace secrets as anyone with view access to a workspace can also see its parameters.

Reasoning:

  1. Workspace params do not show up in the dashboard, CLI, or build log unless the template definition explicitly uses a parameter as label for a resource/coder_app. The same could be done with "secrets"
  • They may be fetchable via the API (cc @Emyrk)
  1. The only role that has read access to workspaces also has write access and can enter a terminal and env or cat project/.env to expose secrets

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Workspace params do not show up in the dashboard, CLI, or build log unless the template definition explicitly uses a parameter as label for a resource/coder_app. The same could be done with "secrets"

This is the case right now, but could change in the near future, so I left out the specifics.

The only role that has read access to workspaces also has write access and can enter a terminal and env or cat project/.env to expose secrets

The specific permission nodes seem likely to change in the near future as we build out RBAC. So, I phrased it in the safest way.

@ammario ammario merged commit 87b0b4b into main Jul 20, 2022
@ammario ammario deleted the docs-secrets branch July 20, 2022 12:31
@bpmct
Copy link
Member

bpmct commented Jul 20, 2022

:/ didn't realize auto-merge was on.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Kira-Pilot Kira-Pilot Kira-Pilot left review comments

@bpmct bpmct bpmct approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

docs: explain how to inject secrets into the workspace
3 participants
@ammario @bpmct @Kira-Pilot