- Notifications
You must be signed in to change notification settings - Fork1k
docs: add secrets#3057
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
docs: add secrets#3057
Uh oh!
There was an error while loading.Please reload this page.
Conversation
| ## Dynamic Secrets | ||
| Dynamic secrets are attached to the workspace lifecycle and automatically | ||
| injected into the workspace. For a little bit of up front template work, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
| injected into the workspace.For a little bit ofup front template work, | |
| injected into the workspace.With a little bit ofupfront template work, |
| <blockquote class="info"> | ||
| This article explains how to use secrets in a workspace. To authenticate the | ||
| workspace provisioner, see <a href="./templates/authentication">this</a>. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
| workspace provisioner, see <ahref="./templates/authentication">this</a>. | |
| workspace provisioner, see <ahref="./templates/authentication">Provider Authentication</a>. |
| whatever workflow and tools you already use to manage secrets may be brought | ||
| over. | ||
| For most, this workflow is simply: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
| For most, this workflow is simply: | |
| Often times, this workflow is simply: |
| <a href="./templates#parameters">Template parameters</a> are a dangerous way to accept secrets. | ||
| We show parameters in cleartext around the product. Assume anyone with view | ||
| access to a workspace can also see its parameters. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
| <ahref="./templates#parameters">Template parameters</a> are a dangerous way to accept secrets. | |
| We show parameters in cleartext around the product. Assume anyone with view | |
| access to a workspace can also see its parameters. | |
| For most cases, we do not recommend using <ahref="./templates#parameters">template parameters</a> to accept workspace secrets as anyone with view access to a workspace can also see its parameters. |
Reasoning:
- Workspace params do not show up in the dashboard, CLI, or build log unless the template definition explicitly uses a parameter as label for a resource/coder_app. The same could be done with "secrets"
- They may be fetchable via the API (cc@Emyrk)
- The only role that has read access to workspaces also has write access and can enter a terminal and
envorcat project/.envto expose secrets
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Workspace params do not show up in the dashboard, CLI, or build log unless the template definition explicitly uses a parameter as label for a resource/coder_app. The same could be done with "secrets"
This is the case right now, but could change in the near future, so I left out the specifics.
The only role that has read access to workspaces also has write access and can enter a terminal and env or cat project/.env to expose secrets
The specific permission nodes seem likely to change in the near future as we build out RBAC. So, I phrased it in the safest way.
:/ didn't realize auto-merge was on. |
No description provided.