Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a credentials section to the fidesctl.toml config file that allows users to store credentials #606

Closed
ThomasLaPiana opened this issue May 6, 2022 · 6 comments · Fixed by #694
Closed

Add a credentials section to the fidesctl.toml config file that allows users to store credentials #606

ThomasLaPiana opened this issue May 6, 2022 · 6 comments · Fixed by #694
Assignees
@earmenda
Milestone
1.7.0

Comments

@ThomasLaPiana
Copy link
Contributor

Is your feature request related to a specific problem?

We need a way for users to be able to store credentials in their fidesctl.toml files or as env vars.

Describe the solution you'd like

We should use a key/value solution so that we can be flexible with our connection types, and also allow users to call that connection information via an id

Describe alternatives you've considered, if any

A description of any alternative solutions or features you've considered.

Additional context

Potential toml design:

[credentials.postgres]
postgres_conn_1 = "postgresql+psycopg2://postgres:fidesctl@fidesctl-db:5432/fidesctl_test"

[credentials.aws]
aws_creds_1 = {access_key_id=<something>, secret_access_key=<some_key>, default_region=<some_region>}

then the env vars would look like:

FIDESCTL__CREDENTIALS__POSTGRES_POSTGRES_CONN_1="<some creds>"
FIDESCTL__CREDENTIALS__AWS_AWS_CREDS_1_ACCESS_KEY_ID="<some id>"
FIDESCTL__CREDENTIALS__AWS_AWS_CREDS_1_SECRET_ACCESS_KEY="<some access key>"
FIDESCTL__CREDENTIALS__AWS_AWS_CREDS_1_DEFAULT_REGION="<some default region>"
@ThomasLaPiana
Copy link
Contributor Author

related to #583

@ThomasLaPiana ThomasLaPiana mentioned this issue May 6, 2022
Closed
@ThomasLaPiana ThomasLaPiana added this to the 1.7.0 milestone May 6, 2022
@SteveDMurphy
Copy link
Contributor

Just for sake of discussion, would it be feasible to have a config.yml take an environment variable instead that the .toml points to? As far as I understood, .toml can't utilize an environment variable which would introduce some risk of a user storing these under version control

@ThomasLaPiana
Copy link
Contributor Author

ThomasLaPiana commented May 6, 2022
edited
Loading

@SteveDMurphy while the toml can't directly load values from env vars, it's just one of the sources we populate our internal config from.

We prioritize env vars over the toml, but in the end they both get loaded into our internal python config. We give users the option of injecting either via env vars or putting them in the toml config.

@sanders41
Copy link
Contributor

Would it make sense to put something in the documentation to remind people to add the toml file to the .gitignore if they are adding credentials to it? And maybe also steer the towards using environment variables in the docs also?

@ThomasLaPiana
Copy link
Contributor Author

@sanders41 for sure, I think we should steer people towards using environment variables for sensitive credentials. I think gitignoring the whole config is usually a step too far though.

@sanders41
Copy link
Contributor

Yes I agree. I was only thinking suggesting they gitignore it if sensitive info has been added.

@SteveDMurphy SteveDMurphy mentioned this issue May 17, 2022
Closed
This was referenced May 18, 2022
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@earmenda earmenda

Labels
None yet
Projects
None yet
Milestone
1.7.0
Development

Successfully merging a pull request may close this issue.

Add credentials config that supports custom keys ethyca/fides
4 participants
@ThomasLaPiana @SteveDMurphy @earmenda @sanders41