`berglas exec` seems to promote a bad pattern about berglas HOT 5 CLOSED

I'm doing some dev work on berglas today and tomorrow. I'll make a point to update the docs!

from berglas.

You are awesome! It didn't even take a day from issue to fix 🚀

from berglas.

Hi @corneliusweig

Thanks for asking the question. Your interpretation is correct - berglas exec resolves secrets and places their values plaintext via the subprocesses environment*. It's designed specifically for legacy applications that can't easily be altered but expect configuration in an environment variable.

I thought we documented this well. Do you see areas for improvement?

• An exception is if the berglas reference specifies a filepath. In that case, the secret is resolved and its contents are written to the file at the supplied path. Then the environment variable value is set to the path to the file containing the secrets.

from berglas.

Hi @sethvargo,

thanks for your speedy reply! After reading your comment, I looked more carefully and indeed I found that this is already wonderfully described.

However, that information was a bit hidden for me. Given that this can easily be used in the wrong way, what do you think about a pointer to the threat-model page at https://github.com/GoogleCloudPlatform/berglas#cli-usage item 4? It's also worth to explicitly mention that references like berglas://bucket/secret?destination=... make berglas exec safe again.

Also, some more information in berglas exec --help would be great!

WDYT?

from berglas.

If you like, I can also try to work on this documentation.

from berglas.