You signed in with another tab or window.Reload to refresh your session.You signed out in another tab or window.Reload to refresh your session.You switched accounts on another tab or window.Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/secrets.md
+12-9Lines changed: 12 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,31 +5,36 @@ This article explains how to use secrets in a workspace. To authenticate the
5
5
workspace provisioner, see <ahref="./templates/authentication">this</a>.
6
6
</blockquote>
7
7
8
-
Codertakes an unopinionated stance to workspacesecrets.
8
+
Coderis open-minded about how you get yoursecrets into your workspaces.
9
9
10
10
##Wait a minute...
11
11
12
12
Your first stab at secrets with Coder should be your local method.
13
13
You can do everything you can locally and more with your Coder workspace, so
14
-
whatever workflow and tools you already use to manage secretscan be brought
14
+
whatever workflow and tools you already use to manage secretsmay be brought
15
15
over.
16
16
17
17
For most, this workflow is simply:
18
18
19
19
1. Give your users their secrets in advance
20
-
1.They write them to a persistent file after
21
-
they've builta workspace
20
+
1.Your users write them to a persistent file after
21
+
they've builttheir workspace
22
22
23
23
<ahref="./templates#parameters">Template parameters</a> are a dangerous way to accept secrets.
24
24
We show parameters in cleartext around the product. Assume anyone with view
25
25
access to a workspace can also see its parameters.
26
26
27
27
##Dynamic Secrets
28
28
29
-
Dynamic secrets are attached to the workspace lifecycle and require no setup by
30
-
the end user.
29
+
Dynamic secrets are attached to the workspace lifecycle and automatically
30
+
injected into the workspace. For a little bit of up front template work,
31
+
they make life simpler for both the end user and the security team.
31
32
32
-
They can be implemented in your template code like so:
33
+
This method is limited to
34
+
[services with Terraform providers](https://registry.terraform.io/browse/providers),
35
+
which excludes obscure API providers.
36
+
37
+
Dynamic secrets can be implemented in your template code like so:
33
38
34
39
```hcl
35
40
resource "twilio_iam_api_key" "api_key" {
@@ -46,8 +51,6 @@ resource "coder_agent" "dev" {
46
51
}
47
52
```
48
53
49
-
This method is limited to[services with Terraform providers](https://registry.terraform.io/browse/providers).
50
-
51
54
A catch-all variation of this approach is dynamically provisioning a cloud service account (e.g[GCP](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_key#private_key))
52
55
for each workspace and then making the relevant secrets available via the cloud's secret management