How to deal with credentials/key files in a (reasonably) safe way

[Michael van Schaik]

I'm more often integrating various cloud services into projects lately, and was wondering what would be considered the/a correct way of storing their API credentials in a SilverStripe project. 

For example, for Google Cloud services, one can create a 'Service Account' - which is something like an infrastructure account, used by code to connect to an API. The credentials for this account are stored in a json file, of which the path is loaded in an environment variable so the Google API class can find them.

My question is where best to store this credentials.json file. Right now I just placed it next to _ss_config.php in the site root, as _key_google-service-account-randombits.json

Then I blocked access to any *_key_*.json files from .htaccess (which is probably not _really_ sufficient, like in case of a misconfigured Apache).

# Deny access to JSON key files (having '_key_' in their filename), 
# which might include sensitive information
<Files *_key_*.json>
   Order allow,deny
   Deny from all
</Files>

What's considered a best practice to deal with this in a SilverStripe way?

Obviously they need to be kept out of Git, and it would probably be safest to keep these files outside of the web root. But we're storing similar stuff in .yml files as well. 

Should we maybe add a _config/ or _keys/ dir in the webroot as well to hold these keys?
Or should we add a deny block for any file containing _key_ to .htaccess by default?

[Sam Minnée]

Hi Michael,

The recommended approach is to store your API credentials as defines in an _ss_environment.php file.

 - Don't check this file into your git repo, manage it separately. You don't want to share your credentials with everyone who has access to the repo.

 - You can put this file in 1 folder level above your webroot and it will still be picked up by SilverStripe

For example, on a lot of our systems we manage the loading of credentials onto servers via puppet. Although our puppet config is also stored in a git repo, it's a repo that is locked down a lot more tightly than our project code. With project code we generally take the approach of "assume this could be public one day" and don't put any secrets in it.

In the case of a config file rather than a string, I would also suggest managing this file separately from your project code and place it outside of your web root.

If you don't have puppet and your managing your servers more manually, the best bet may be simply to manage this file manually.

--
You received this message because you are subscribed to the Google Groups "SilverStripe Core Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to silverstripe-d...@googlegroups.com.
To post to this group, send email to silverst...@googlegroups.com.
Visit this group at https://groups.google.com/group/silverstripe-dev.
For more options, visit https://groups.google.com/d/optout.

--

Sam Minnée

CEO

SilverStripe Limited

www.silverstripe.com

Phone: +64 4 978 7334

Twitter: @sminnee

Book a meeting with me

[Christopher Pitt]

...also, there's this: https://github.com/silverstripe/silverstripe-framework/pull/6337

[Michael Strong]

Further to Sam's comments you may want to look at the vault by Hashicorp: https://www.hashicorp.com/blog/vault.html

I can't vouch for it as I've never used it, but have seen it demoed and it looks to tick all the right boxes.

On 1 December 2016 at 10:06, Christopher Pitt <cgp...@gmail.com> wrote:

...also, there's this: https://github.com/silverstripe/silverstripe-framework/pull/6337

--

You received this message because you are subscribed to the Google Groups "SilverStripe Core Development" group.

To unsubscribe from this group and stop receiving emails from it, send an email to silverstripe-dev+unsubscribe@googlegroups.com.
To post to this group, send email to silverstripe-dev@googlegroups.com.

Visit this group at https://groups.google.com/group/silverstripe-dev.
For more options, visit https://groups.google.com/d/optout.

--

Michael Strong | Developer
SilverStripe
http://silverstripe.com/

Phone: +64 4 978 7330