Comments (9)
Yep, a repo per app usually works best! Check out https://secrethub.io/docs/basics/best-practices/
from secrethub-cli.
@stavalfi Thanks a lot for this very detailed feedback! π
Based on your feedback and questions I've made some changes to the service account docs.
Specifically, the section on the init
command now contains separate sections on the credential and on how to give the service account permission to your secrets.
Furthermore, the docs now no longer speak of service account configuration
. As you also figured out, this should be the service account credential
.
a. "how do I get the SECRETHUB_CREDENTIAL of a service after the init process (or after 45 secons)? (I don't have an answer for that (even now))
The new update now contains a note on this in the docs:
Note that by design, the credential isnβt stored in any other location, because it gives access to your secrets. If you lose access to the credential (e.g. the clipboard is cleared or you deleted the file), thereβs no way to retrieve it, so youβd have to revoke the service account and create a new one.
What made you ask this question? Did the 45 seconds run out before you pasted the credential in the GitHub secret? I believe 45 seconds is rather short, which is why I'm suggesting to increase the timeout to 3 minutes. Do you think that would be enough?
About the --clip
flag, you mentioned:
the following docs doesn't specify on which sub-commands can I use it
Currently, the docs are structured like so:
## Init
### Arguments
### Flags
// Docs on the `--clip` flag you found are here.
---
## List
### Arguments
### Flags
...
Do I get correctly that it currently is not clear that the Flags
section containing the --clip
flag is part of the section on the Init
sub-command specifically?
I think we should make some changes to the design that make clearer what belongs together (e.g. more space around this horizontal line dividing the different sub-commands).
FYI, I don't believe in wrong questions. Especially when it comes to documentation. I believe unexpected questions about documentation are just indications that documentation can (and should!) improve. So your questions are really appreciated!
If you're up for one more round, I'd really appreciate if you could share whether you have any remaining questions unanswered with this update of the docs. But please don't feel obligated! If you don't have the time that's okay too. I really appreciate all your efforts so far π₯
from secrethub-cli.
Yes, you're right. We indeed recommend to use a unique service account for every place you use SecretHub. This allows for tighter access control (applying principle of least privilege), makes the different places your secrets are used distinguishable in the audit log and allows for per-service revocation in case this would be necessary.
Yes, we definitely want auto-completion on the commands! In the meantime, note that you can also use --help
flag to see what subcommands/flags you can use on a command.
secrethub service init --help
from secrethub-cli.
ok I found it: cat /Users/<username>/.secrethub/credential
you guys should document it somewhere...
from secrethub-cli.
Hi @stavalfi I'm sorry to hear that this isn't clear from the documentation. I definitely agree that this should be included.
The credential you found at ~/.secrethub/credential
is the credential for your personal account. It's meant to be used by you on your machine. You can also create extra credentials for your personal account, as a backup or to use SecretHub on multiple devices.
For usage by a machine rather than a human, such as for your applications and your CI/CD pipelines, you can create service accounts. These get their own credential. Service accounts are completely separate accounts from your personal account, which means you can manage their access separately and you can identify them in the audit log.
So, to get a credential for your GitHub Actions pipeline, you'd run:
secrethub service init --clip --description "GitHub Actions pipeline for my project" <path/to/repo>
Note that I've passed
--clip
, which copies the credential to your clipboard (for 45 seconds), so that you can easily paste it into a GitHub secret using their website (https://github.com/<namespace>/<project>/settings/secrets
).
Now, to give your service account access to the secrets it needs, you'll run:
secrethub acl set <path/to/dir> <service account id> read
You can find the service account ID with secrethub service ls <path/to/repo>
.
As a shorthand for creating both the service account and the access rule, you can alternatively run:
secrethub service init --clip --permission <path/to/dir>:read --description "GitHub Actions pipeline for my project" <path/to/repo>
I hope this helps. If you have any further questions, please feel free to ask them here on GitHub, on Discord or at [email protected]. I'm happy to help! π
You're absolutely right that we should document this. I'll update the actions README to include a reference to the service accounts. This will also update the documentation you see in the marketplace.
We're also working on a guide for GitHub Actions, similar to the CI/CD guides we already have.
from secrethub-cli.
@SimonBarendse Thanks for the detailed explanation!
I'm closing this issue.
I have a "best practice" question and it will help me to ask here with the context of my original question. if that's ok, I would like to hear your response.
So now I also understand that I built my repository in the wrong way: I created a repo docke-hub
for docker-hub credentials, while I should have created a project-x-credentials
repo that contains docker-hub
folder and then, I should have different services that has read/write access to different folders (paths) inside my project-x-credentials
repo (e.g. service for github that has read access to project-x-credentials/docker-hub
folder).
Am I correct?
from secrethub-cli.
secrethub/actions#13 added documentation on the credential to the actions repo and marketplace.
Thanks again for reporting this @stavalfi π
Would you say this fix makes things clear? And is this documentation now in the place where you'd be looking for this info?
from secrethub-cli.
@SimonBarendse thanks for the update.
you gave me such a detailed answer so I'm feeling obligated to give you something back with the same efford ;)
the following review are my personal-user-experience from your docs. it reflects only my experience.
In short - No.
The long version:
i tried to read the content on the website but I still didnt understand what to do. I came back to your original response in this thread, and found my answer here:
So, to get a credential for your GitHub Actions pipeline, you'd run:
secrethub service init --clip --description "GitHub Actions pipeline for my project" <path/to/repo>
Note that I've passed --clip, which copies the credential to your clipboard (for 45 seconds), so that you can easily paste it into a GitHub secret using their website (https://github.com///settings/secrets).
-
I came to the docs and control+ f
SECRETHUB_CREDENTIAL
and I still couldn't find anything helpfull. -
I read the page and still couldn't find the answer
a. (im writing (a) after I already know the answer) - the following docs doesn't specify on which sub-commands can I use it and that it will returnSECRETHUB_CREDENTIAL
- which is what I was looking for.
-
I came back to your original answer and found it here:
So, to get a credential for your GitHub Actions pipeline, you'd run:
secrethub service init --clip --description "GitHub Actions pipeline for my project" <path/to/repo>
Note that I've passed --clip, which copies the credential to your clipboard (for 45 seconds), so that you can easily paste it into a GitHub secret using their website (https://github.com///settings/secrets).
now the question that im asking my self are:
a. "how do I get the SECRETHUB_CREDENTIAL of a service after the init process (or after 45 secons)? (I don't have an answer for that (even now))
b. "how do I give more read permissions to a service"? (if it's possible - I would expect to find a "section" just for that).
I may ask the "wrong questions". but even if thats the case, you guys can profit from that also - if we see other users ask the same questions -> how can we make sure it won't happen to other users?
thanks!
from secrethub-cli.
thanks for the response, fixes and the complements!
If you're up for one more round, I'd really appreciate if you could share whether you have any remaining questions unanswered with this update of the docs.
I read the new docs and it answers everything I wanted to ask.
- now I also see that the docs on the github-action has a link to the relevant doc and a simple ctrl+f search for
SECRETHUB_CREDENTIAL
sends me to what I need. - now I won't even think to search for my persomal machine cardentials which is a very bad idea.
What made you ask this question? Did the 45 seconds run out before you pasted the credential in the GitHub secret? I believe 45 seconds is rather short, which is why I'm suggesting to increase the timeout to 3 minutes. Do you think that would be enough?
I didn't think about the time that I have to copy-paste. I asked my self, how can I use the same service that I already configured in different place (addtional ci/...).
Becuase some systems like github, doesn't let me read secrets after configuring them. and I would like to avoid at all cost to save the cardentials of a service somewhere.
so I'm thinking now that maybe you guys don't want us to use the same service in multiple places.
Do I get correctly that it currently is not clear that the Flags section containing the --clip flag is part of the section on the Init sub-command specifically?
I think we should make some changes to the design that make clearer what belongs together (e.g. more space around this horizontal line dividing the different sub-commands).
I think that a simple solution for all the "what subcommand/flag can I use here"-questions
is to provide a bash,zsh,fish compilations ;)
- I wanted to open a different issue for that because this is really needed :P)
from secrethub-cli.
Related Issues (20)
- Make generate command less verbose HOT 1
- Add complex password requirements to generate command HOT 19
- stdout and stderr mixed in secrethub run HOT 2
- Add `--force` flag to inject command HOT 5
- Add flag to secrethub read to not print newline HOT 3
- Map all secrets from directory to environment variables HOT 8
- Parse .env vars to directory vars HOT 6
- Snap: Errors with clipboard and file options for secrethub write (CLI) HOT 3
- Unable to find credential file in custom config directory HOT 2
- Npm package of @secrethub/cli is not an executable HOT 3
- Unable to install CLI on Mac OS Big Sur HOT 2
- Add Termux (Android) support HOT 7
- install on arm64 HOT 2
- ERROR with GPGP key HOT 2
- Support 1Password CLI 2 in migration commands
- APT update using main stable, failed to fetch due to unexpected size (402 != 400). HOT 1
- Cannot install secrethub cli via brew
- OP_SESSION environment variable not found
- Error applying migration: unknown command "list" for "op" HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from secrethub-cli.