Secure Environment Variables or where to store credentials on agents
1,031 views
Skip to first unread message
Cristi Campean
Jun 30, 2014, 11:30:54 AM6/30/14
to go...@googlegroups.com
Hi,
We want to store credentials (to connect the agents to different systems from our infrastructure) in some secure environment variables, but we don't want to configure them on every single pipeline.
Is it possible to set Secure Environment Variables on Environment level? Or is there any similar functionality for environments?
Do you have any recommendation on where should we store credentials on the agents that agents will use to connect to different systems from our infrastructure? We don't like the idea to store them in plain text in some property files on the agents.
Thanks,
Cristi
We want to store credentials (to connect the agents to different systems from our infrastructure) in some secure environment variables, but we don't want to configure them on every single pipeline.
Is it possible to set Secure Environment Variables on Environment level? Or is there any similar functionality for environments?
Do you have any recommendation on where should we store credentials on the agents that agents will use to connect to different systems from our infrastructure? We don't like the idea to store them in plain text in some property files on the agents.
Thanks,
Cristi
Rustin Daniels
Jul 15, 2014, 8:25:36 PM7/15/14
to go...@googlegroups.com
Hi,
How would you need to use these environment variables? In your go.config to build a resource path to an upstream dependency or as part of a job nant or ant script?
I would suggest a single environment variable eg. ENVIRONMENT_NAME or each agent and storing your password in a repository then creating the dependency path dynamically using the {#} syntax, see example below.
Your passwords.txt file could be located in the FitNesse folder, have a job executing a task that reads the text file, parses the contents, (encrypte=>plaintext) then use it in which ever way you like.
<svn url="https://10.194.74.34/svn/fasttrack/trunk/Config/Environments/#{ENVIRONMENT_NAME}/passwords/FitNesse/" username="GoAgent" encryptedPassword="sIK49HOc1rdBuGJ69kfLRw==" dest="config-fitNesse-fasttrack.services.security" materialName="config-fitNesse-services.security">
<filter>
<ignore pattern="**/*.*" />
</filter>
</svn>
Hope that helps.
Rustin
Marius Ciotlos
Jul 18, 2014, 1:08:44 PM7/18/14
to go...@googlegroups.com
Creating a Repo link for getting a text value seems a bit of an overhead. Secure Environment variables would be required to hide them in console logs from people that don't administer that specific pipeline. There are a few applications out there that to configure to work without user interaction you need to specify the passwords in Environment variables. To avoid using Puppet or Chef to inject this on the agent itself, using some sort of a Secure Environment Variable would have been more elegant.
Jyoti Singh
Jul 22, 2014, 9:23:30 AM7/22/14
to go...@googlegroups.com
Currently, secure environment variables are not fully supported at Environment level.
By *not fully supported* I mean, while editing config through xml, a user could specify an environment variable as secure, in which case Go would ensure encrypting and masking it across logs and views. However, setting/editing this through admin UI is not implemented as yet. This also means if you mark some environment variable as secure through config xml and then later edit the specific environment using the admin UI, the variable would be deleted :(
For now the best bet is to set up the secure variable at pipeline level.
Few others have asked about it in recent past, so incase any one is interested in taking this feature to completion, we could continue the discussion on go-cd-dev mailing list.
Cheers,
Jyoti
Reply all
Reply to author
Forward
0 new messages