Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Secrets #26

Draft
wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

Secrets #26

wants to merge 5 commits into from

Conversation

tetron
Copy link
Member

@tetron tetron commented May 17, 2024

No description provided.

@tetron tetron requested a review from mr-c May 17, 2024 10:50
Process.yml Outdated
Comment on lines 404 to 405
* false (same as null)
* true (parameter is secret)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* false (same as null)
* true (parameter is secret)
* `false` (same as null)
* `true` (parameter is secret)

Process.yml Outdated
Comment on lines 408 to 409
If the value of `secret` is a string, this is a lookup key to
be used to fetch a secret value from the workflow platform
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
If the value of `secret` is a string, this is a lookup key to
be used to fetch a secret value from the workflow platform
If the value of `secret` is a string, this is a lookup key that can
be used to fetch a secret value from the workflow platform

Process.yml Outdated
implementation specific and out of scope for this document.

If the input parameter is a secret, the `type` of the input
parameter must only consist of `string`, `array<string>`, or
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
parameter must only consist of `string`, `array<string>`, or
parameter must only consist of `string`, `string[]`, or

@tetron
Copy link
Member Author

tetron commented May 17, 2024

From discussion, should limit to only resolving the top level.

Marius: maybe this should be called "protected".

@tetron
Copy link
Member Author

tetron commented May 17, 2024

Another idea:

Instead of putting the key in the workflow inputs

inputs:
  inp2:
    type: string
    secret: AWSPASS

Specify the secret in the input document:

inputs:
  inp2:
    type: string
    sensitive: true
inp2:
  class: Secret
  secretKey: urn:aws-secret-12345
inp2: IlikeMonkeys
inp2: {$include: ~/.config/my_password}

Use default to achieve the behavior of referencing secrets from the workflow:

inputs:
  inp2:
    type: string
    sensitive: true
    default:
      class: Secret
      secretKey: urn:aws-secret-54321

@tetron tetron marked this pull request as draft May 17, 2024 13:39
@tom-tan
Copy link
Member

tom-tan commented May 17, 2024

I have a question about secret.

How to behave when the secret strings are written in files?
For me, the written files must be still treated as secret: that is, we need secret files as well as secret strings. Once we introduce a concept of secret files and secret strings, the spec may be simpler: a file that contains secret strings is a secret file, and a (sub) string that is read from a secret file is a secret string.

@tetron
Copy link
Member Author

tetron commented May 17, 2024

New idea. Get rid of "confidential" and introduce "SecretText" record that is passed through and dereferenced to get "plaintext" only when needed.

inputs:
  inp1: SecretText
inp1:
  class: SecretText
  secretId: urn:id-12345
inp1:
  class: SecretText
  secretId: urn:id-12345
  plaintext: IlikeMonkeys

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants