2022-07-20 12:31:33 +00:00
|
|
|
# Secrets
|
|
|
|
|
|
|
|
<blockquote class="info">
|
|
|
|
This article explains how to use secrets in a workspace. To authenticate the
|
2023-01-31 22:48:08 +00:00
|
|
|
workspace provisioner, see <a href="/admin/auth">this</a>.
|
2022-07-20 12:31:33 +00:00
|
|
|
</blockquote>
|
|
|
|
|
|
|
|
Coder is open-minded about how you get your secrets into your workspaces.
|
|
|
|
|
|
|
|
## Wait a minute...
|
|
|
|
|
2023-08-23 09:27:57 +00:00
|
|
|
Your first stab at secrets with Coder should be your local method. You can do
|
|
|
|
everything you can locally and more with your Coder workspace, so whatever
|
|
|
|
workflow and tools you already use to manage secrets may be brought over.
|
2022-07-20 12:31:33 +00:00
|
|
|
|
2022-07-23 21:37:54 +00:00
|
|
|
Often, this workflow is simply:
|
2022-07-20 12:31:33 +00:00
|
|
|
|
|
|
|
1. Give your users their secrets in advance
|
2023-08-23 09:27:57 +00:00
|
|
|
1. Your users write them to a persistent file after they've built their
|
|
|
|
workspace
|
2022-07-20 12:31:33 +00:00
|
|
|
|
2023-08-23 09:27:57 +00:00
|
|
|
[Template parameters](./templates/parameters.md) are a dangerous way to accept
|
|
|
|
secrets. We show parameters in cleartext around the product. Assume anyone with
|
|
|
|
view access to a workspace can also see its parameters.
|
2022-07-20 12:31:33 +00:00
|
|
|
|
2022-09-13 16:36:39 +00:00
|
|
|
## SSH Keys
|
|
|
|
|
2023-08-23 09:27:57 +00:00
|
|
|
Coder generates SSH key pairs for each user. This can be used as an
|
|
|
|
authentication mechanism for git providers or other tools. Within workspaces,
|
|
|
|
git will attempt to use this key within workspaces via the `$GIT_SSH_COMMAND`
|
|
|
|
environment variable.
|
2022-09-13 16:36:39 +00:00
|
|
|
|
|
|
|
Users can view their public key in their account settings:
|
|
|
|
|
|
|
|
![SSH keys in account settings](./images/ssh-keys.png)
|
|
|
|
|
2023-06-29 16:01:07 +00:00
|
|
|
> Note: SSH keys are never stored in Coder workspaces, and are fetched only when
|
|
|
|
> SSH is invoked. The keys are held in-memory and never written to disk.
|
|
|
|
|
2022-07-20 12:31:33 +00:00
|
|
|
## Dynamic Secrets
|
|
|
|
|
|
|
|
Dynamic secrets are attached to the workspace lifecycle and automatically
|
2023-08-23 09:27:57 +00:00
|
|
|
injected into the workspace. With a little bit of up front template work, they
|
|
|
|
make life simpler for both the end user and the security team.
|
2022-07-20 12:31:33 +00:00
|
|
|
|
|
|
|
This method is limited to
|
|
|
|
[services with Terraform providers](https://registry.terraform.io/browse/providers),
|
|
|
|
which excludes obscure API providers.
|
|
|
|
|
|
|
|
Dynamic secrets can be implemented in your template code like so:
|
|
|
|
|
|
|
|
```hcl
|
|
|
|
resource "twilio_iam_api_key" "api_key" {
|
|
|
|
account_sid = "ACXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
|
|
|
|
friendly_name = "Test API Key"
|
|
|
|
}
|
|
|
|
|
2022-07-23 20:26:56 +00:00
|
|
|
resource "coder_agent" "main" {
|
2022-07-20 12:31:33 +00:00
|
|
|
# ...
|
|
|
|
env = {
|
|
|
|
# Let users access the secret via $TWILIO_API_SECRET
|
|
|
|
TWILIO_API_SECRET = "${twilio_iam_api_key.api_key.secret}"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
2023-08-23 09:27:57 +00:00
|
|
|
A catch-all variation of this approach is dynamically provisioning a cloud
|
|
|
|
service account (e.g
|
|
|
|
[GCP](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_key#private_key))
|
|
|
|
for each workspace and then making the relevant secrets available via the
|
|
|
|
cloud's secret management system.
|
2022-07-20 12:31:33 +00:00
|
|
|
|
2022-08-09 23:45:30 +00:00
|
|
|
## Displaying Secrets
|
|
|
|
|
|
|
|
While you can inject secrets into the workspace via environment variables, you
|
2023-08-23 09:27:57 +00:00
|
|
|
can also show them in the Workspace UI with
|
|
|
|
[`coder_metadata`](https://registry.terraform.io/providers/coder/coder/latest/docs/resources/metadata).
|
2022-08-09 23:45:30 +00:00
|
|
|
|
|
|
|
![secret UI](./images/secret-metadata-ui.png)
|
|
|
|
|
|
|
|
Can be produced with
|
|
|
|
|
|
|
|
```hcl
|
|
|
|
resource "twilio_iam_api_key" "api_key" {
|
|
|
|
account_sid = "ACXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
|
|
|
|
friendly_name = "Test API Key"
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
resource "coder_metadata" "twilio_key" {
|
|
|
|
resource_id = twilio_iam_api_key.api_key.id
|
|
|
|
item {
|
|
|
|
key = "secret"
|
|
|
|
value = twilio_iam_api_key.api_key.secret
|
|
|
|
sensitive = true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
```
|