Comments (8)
mgrlabs
commented on May 26, 2024
1
That's a pretty cool idea to map subordinate directories as he prefix for the environment variable. The example I would give is where I would store secrets required for Terraform to deploy into Azure in org/product/dev/arm containing:
client_id
client_secret
tentant_id
subscription_id
would map to:
ARM_CLIENT_ID
ARM_CLIENT_SECRET
ARM_TENANT_ID
ARM_SUBSCRIPTION_ID
This would work well in that case. Gives us flexibility. Looks good :)
Regards,
Mark.
from secrethub-cli.
SimonBarendse
commented on May 26, 2024
1
Hi @stavalfi , yes, we welcome any input from the community!
This feature is indeed meant to be used instead of a secrethub.env file.
Note however, that we will still be supporting secrethub.env files and all other methods already available to pass environment variables (--envar flag, secret references, environment files and environment variables passed by the OS).
So, if you prefer the secrethub.env files, feel free to keep using those!
As you also noted, this --secrets-dir flag doesn't require explicit definition of the environment variables in the secrethub.env file or any other place.
This can be seen both as an advantage (Your directory in SecretHub is already the source of truth of all secrets in your project, so using that to determine which environment variables need to be populated saves time of maintaining a secrethub.env file that just echos that state) or as a disadvantage (you no longer have a secrethub.env file in source control which exactly defines which secrets you'll be using, making your Git repo the source of truth and always having a commit for any changes to your environment). I believe it largely depends on whether you want your directory in SecretHub or your Git repo to be the source of truth about which secrets are being used.
I imagine the preference and trade-offs between both methods to vary between projects and processes, which is why we aim to support both and leave it up to you to pick the solution that best fits your use.
You mentioned using both secrets and non-secrets in the environment. We've seen many users store both of these in SecretHub. You can also store values in SecretHub that are not secret. We might add features later which make it possible to differentiate between these two types of values stored in SecretHub (e.g. no masking, other access levels etc.) but this is not something we've currently planned. However, please use the current set of features as you see fit, including storing other values than secrets.
You mentioned a user without read permissions not being able to see what secrets will be used when the --secrets-dir flag is used. I can imagine adding a separate permission later (named e.g. list), which allows you to read the metadata (e.g. names of the secrets), but doesn't allow you to read the secret data. However, this is not on the roadmap yet.
a project should have an abstraction over secrethub: a function that returns all secrets as variables instead of making use of env-var directly in the code. so the issue that I mentioned above, is not a problem.
I'm not sure I quite understand what you mean. Do you mean to call SecretHub directly from your code? Could you please elaborate on this a bit? Maybe an example can help?
from secrethub-cli.
mgrlabs
commented on May 26, 2024
Hi there,
How does this work if you were to reference org/repo/my-app/aws? Would you get?
ACCESS_KEY_ID
SECRET_ACCESS_KEY
Regards,
Mark.
from secrethub-cli.
jpcoenen
commented on May 26, 2024
Hi Mark,
My current proposal would indeed be that using --secrets-dir=org/repo/my-app/aws results in:
ACCESS_KEY_ID
SECRET_ACCESS_KEY
Is that what you'd expect?
from secrethub-cli.
stavalfi
commented on May 26, 2024
-
I'm assuming that this feature will let us avoid writing a secrethub.env file (or removing some content from it). if yes, keep reading. if not, I'm wrong and just ignore this response).
-
I'm assuming that the community is allowed to have an opinion about this issue so I will write my own. if not, ignore it.
when a project has a secrethub.env file, there are advantages of visibility and explicitness (maybe its the same) about which env-var are used. it's a single-source-of-truth for the secrets that are being used in the project.
when developing in a project when the project made a use of this feature, I can't know which env-var that is being used, is a secret or not.
a possible response can be:
- a developer shouldn't be care if a env-var is a secret or not.
- I'm not sure that I have much expirience to answer this but my intoition tells me that the developer should know if a env-var is a secret or not.
- you guys can argue that the developer can list the secrets of a project in secrethub-cli. but what if he doesn't have a read permission in this repo? maybe he doesn't have have an account?
- a project should have an abstraction over secrethub: a function that returns all secrets as variables instead of making use of env-var directly in the code. so the issue that I mentioned above, is not a problem.
What do you guys think?
from secrethub-cli.
stavalfi
commented on May 26, 2024
the roadmap sounds very cool! thanks for the great answer :)
from secrethub-cli.
SimonBarendse
commented on May 26, 2024
This has been merged in #299 and will be included in the next release
from secrethub-cli.
SimonBarendse
commented on May 26, 2024
This has been released in v0.41.0
from secrethub-cli.
Related Issues (20)
- Make generate command less verbose HOT 1
- Add complex password requirements to generate command HOT 19
- stdout and stderr mixed in secrethub run HOT 2
- Add `--force` flag to inject command HOT 5
- Add flag to secrethub read to not print newline HOT 3
- how to get SECRETHUB_CREDENTIAL? HOT 9
- Parse .env vars to directory vars HOT 6
- Snap: Errors with clipboard and file options for secrethub write (CLI) HOT 3
- Unable to find credential file in custom config directory HOT 2
- Npm package of @secrethub/cli is not an executable HOT 3
- Unable to install CLI on Mac OS Big Sur HOT 2
- Add Termux (Android) support HOT 7
- install on arm64 HOT 2
- ERROR with GPGP key HOT 2
- Support 1Password CLI 2 in migration commands
- APT update using main stable, failed to fetch due to unexpected size (402 != 400). HOT 1
- Cannot install secrethub cli via brew
- OP_SESSION environment variable not found
- Error applying migration: unknown command "list" for "op" HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from secrethub-cli.