Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow hiding sensitive parameters in UI #194

Open
TheZoker opened this issue Feb 15, 2024 · 7 comments
Open

Allow hiding sensitive parameters in UI #194

TheZoker opened this issue Feb 15, 2024 · 7 comments
Milestone

Comments

@TheZoker
Copy link

It would be amazing, if there was an additional property for a coder_parameter called sensitiv (or similar).
This would hide the current value of the parameter if the workspace is viewed.
It should allow to overwrite the parameter, therefore show it when the user overwrites it, but again hides it when the user saves the change.

This would allow users to e.g. input API keys as parameters, but hide them after inserting them.

@matifali
Copy link
Member

@TheZoker We do not recommend adding or storing any secrets/credentials via coder_paramter. You may use a terraform variable with sensitive=true for this purpose, which will prevent it from being printed in logs.

@TheZoker
Copy link
Author

TheZoker commented Feb 16, 2024

But a terraform variable would not be shown in the workspace setup process, right?

And wouldn't a sensitive option for the coder_parameter be able to solve this issue?

image

(Source: https://coder.com/docs/v2/latest/secrets)

Just hide the parameter everywhere in the UI/logs by showing ****** instead

@matifali
Copy link
Member

They are not designed to accept and show secrets. And are only available on the workspace creation form. Please elaborate on your use case.

You can also try HCP Vault Secrets module to store and fetch secrets/API keys within your workspace.
I guess its free upto 25 secrets.

@TheZoker
Copy link
Author

The use case is, that the user should be able to input a API key on creation of the workspace. He should be able to change it, but should not be able to see the API key outside of the workspace. Inside of the workspace, we provide the key as env variable and run a script to setup certain authentications. Sure we could also ask the user to create a file with the secret in it within the workspace, but then we would not be able to run our script in startup. This would also add more manual setup steps to a automated setup system.

So in my opinion, it would be nice, if the user is guided trough setting up the workspace by inputting the API key in the workspace creation form and afterwards the key is displayed as *****. Similar to how many applications handle password change. Show **** when visiting the setup page, allow the users to overwrite it in clear text and after saving the change, show ***** again.

What would speak against providing a sensitiv option for the coder_parameter entity and hiding the value in the UI/logs? I thinks that's an elegant way to allow users to setup workspaces via the UI and also protecting the secret from other users with read access to the workspace.

And for just a simple API key we don't want to implement/deploy another third party app, just to store and receive it.

@johnstcn
Copy link
Member

@TheZoker Would coder/coder#7087 cover this use-case?

@TheZoker
Copy link
Author

Yes in my case this would absolutely solve the issue!
But I can imagine, that for some setups, it's required to have different secrets for different workspaces.

For me case this would be fine!

@michaelbrewer
Copy link

Workspace insights lists out all workspace parameters, masking at least for the UI should be allowed.

@matifali matifali changed the title Allow sensitiv parameters Allow hiding sensitive parameters in UI Aug 21, 2024
@matifali matifali added this to the v2 milestone Aug 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants