how to get SECRETHUB_CREDENTIAL? about secrethub-cli HOT 9 CLOSED

Yep, a repo per app usually works best! Check out https://secrethub.io/docs/basics/best-practices/

from secrethub-cli.

@stavalfi Thanks a lot for this very detailed feedback! 😄

Based on your feedback and questions I've made some changes to the service account docs.

Specifically, the section on the init command now contains separate sections on the credential and on how to give the service account permission to your secrets.

Furthermore, the docs now no longer speak of service account configuration. As you also figured out, this should be the service account credential.

a. "how do I get the SECRETHUB_CREDENTIAL of a service after the init process (or after 45 secons)? (I don't have an answer for that (even now))

The new update now contains a note on this in the docs:

Note that by design, the credential isn’t stored in any other location, because it gives access to your secrets. If you lose access to the credential (e.g. the clipboard is cleared or you deleted the file), there’s no way to retrieve it, so you’d have to revoke the service account and create a new one.

What made you ask this question? Did the 45 seconds run out before you pasted the credential in the GitHub secret? I believe 45 seconds is rather short, which is why I'm suggesting to increase the timeout to 3 minutes. Do you think that would be enough?

About the --clip flag, you mentioned:

the following docs doesn't specify on which sub-commands can I use it

Currently, the docs are structured like so:

## Init
### Arguments
### Flags
// Docs on the `--clip` flag you found are here.
---
## List
### Arguments
### Flags
...

Do I get correctly that it currently is not clear that the Flags section containing the --clip flag is part of the section on the Init sub-command specifically?

I think we should make some changes to the design that make clearer what belongs together (e.g. more space around this horizontal line dividing the different sub-commands).

FYI, I don't believe in wrong questions. Especially when it comes to documentation. I believe unexpected questions about documentation are just indications that documentation can (and should!) improve. So your questions are really appreciated!

If you're up for one more round, I'd really appreciate if you could share whether you have any remaining questions unanswered with this update of the docs. But please don't feel obligated! If you don't have the time that's okay too. I really appreciate all your efforts so far 🥇

from secrethub-cli.

Yes, you're right. We indeed recommend to use a unique service account for every place you use SecretHub. This allows for tighter access control (applying principle of least privilege), makes the different places your secrets are used distinguishable in the audit log and allows for per-service revocation in case this would be necessary.

Yes, we definitely want auto-completion on the commands! In the meantime, note that you can also use --help flag to see what subcommands/flags you can use on a command.

secrethub service init --help

from secrethub-cli.

ok I found it: cat /Users/<username>/.secrethub/credential

you guys should document it somewhere...

from secrethub-cli.

Hi @stavalfi I'm sorry to hear that this isn't clear from the documentation. I definitely agree that this should be included.

The credential you found at ~/.secrethub/credential is the credential for your personal account. It's meant to be used by you on your machine. You can also create extra credentials for your personal account, as a backup or to use SecretHub on multiple devices.

For usage by a machine rather than a human, such as for your applications and your CI/CD pipelines, you can create service accounts. These get their own credential. Service accounts are completely separate accounts from your personal account, which means you can manage their access separately and you can identify them in the audit log.

So, to get a credential for your GitHub Actions pipeline, you'd run:

secrethub service init --clip --description "GitHub Actions pipeline for my project" <path/to/repo>

Note that I've passed --clip, which copies the credential to your clipboard (for 45 seconds), so that you can easily paste it into a GitHub secret using their website (https://github.com/<namespace>/<project>/settings/secrets).

Now, to give your service account access to the secrets it needs, you'll run:

secrethub acl set <path/to/dir> <service account id> read

You can find the service account ID with secrethub service ls <path/to/repo>.

As a shorthand for creating both the service account and the access rule, you can alternatively run:

secrethub service init --clip --permission <path/to/dir>:read --description "GitHub Actions pipeline for my project" <path/to/repo>

I hope this helps. If you have any further questions, please feel free to ask them here on GitHub, on Discord or at [email protected]. I'm happy to help! 😄

You're absolutely right that we should document this. I'll update the actions README to include a reference to the service accounts. This will also update the documentation you see in the marketplace.

We're also working on a guide for GitHub Actions, similar to the CI/CD guides we already have.

from secrethub-cli.

@SimonBarendse Thanks for the detailed explanation!

I'm closing this issue.

I have a "best practice" question and it will help me to ask here with the context of my original question. if that's ok, I would like to hear your response.

So now I also understand that I built my repository in the wrong way: I created a repo docke-hub for docker-hub credentials, while I should have created a project-x-credentials repo that contains docker-hub folder and then, I should have different services that has read/write access to different folders (paths) inside my project-x-credentials repo (e.g. service for github that has read access to project-x-credentials/docker-hub folder).

Am I correct?

from secrethub-cli.

secrethub/actions#13 added documentation on the credential to the actions repo and marketplace.

Thanks again for reporting this @stavalfi 😄

Would you say this fix makes things clear? And is this documentation now in the place where you'd be looking for this info?

from secrethub-cli.

@SimonBarendse thanks for the update.

you gave me such a detailed answer so I'm feeling obligated to give you something back with the same efford ;)

the following review are my personal-user-experience from your docs. it reflects only my experience.

In short - No.

The long version:

i tried to read the content on the website but I still didnt understand what to do. I came back to your original response in this thread, and found my answer here:

So, to get a credential for your GitHub Actions pipeline, you'd run:

secrethub service init --clip --description "GitHub Actions pipeline for my project" <path/to/repo>
Note that I've passed --clip, which copies the credential to your clipboard (for 45 seconds), so that you can easily paste it into a GitHub secret using their website (https://github.com///settings/secrets).

1. I came to the docs and control+ f SECRETHUB_CREDENTIAL and I still couldn't find anything helpfull.

2. I read the page and still couldn't find the answer
   a. (im writing (a) after I already know the answer) - the following docs doesn't specify on which sub-commands can I use it and that it will return SECRETHUB_CREDENTIAL - which is what I was looking for.
   

3. I came back to your original answer and found it here:

So, to get a credential for your GitHub Actions pipeline, you'd run:

secrethub service init --clip --description "GitHub Actions pipeline for my project" <path/to/repo>
Note that I've passed --clip, which copies the credential to your clipboard (for 45 seconds), so that you can easily paste it into a GitHub secret using their website (https://github.com///settings/secrets).

now the question that im asking my self are:
a. "how do I get the SECRETHUB_CREDENTIAL of a service after the init process (or after 45 secons)? (I don't have an answer for that (even now))
b. "how do I give more read permissions to a service"? (if it's possible - I would expect to find a "section" just for that).

I may ask the "wrong questions". but even if thats the case, you guys can profit from that also - if we see other users ask the same questions -> how can we make sure it won't happen to other users?

thanks!

from secrethub-cli.

thanks for the response, fixes and the complements!

If you're up for one more round, I'd really appreciate if you could share whether you have any remaining questions unanswered with this update of the docs.

I read the new docs and it answers everything I wanted to ask.

• now I also see that the docs on the github-action has a link to the relevant doc and a simple ctrl+f search for SECRETHUB_CREDENTIAL sends me to what I need.
• now I won't even think to search for my persomal machine cardentials which is a very bad idea.

What made you ask this question? Did the 45 seconds run out before you pasted the credential in the GitHub secret? I believe 45 seconds is rather short, which is why I'm suggesting to increase the timeout to 3 minutes. Do you think that would be enough?

I didn't think about the time that I have to copy-paste. I asked my self, how can I use the same service that I already configured in different place (addtional ci/...).

Becuase some systems like github, doesn't let me read secrets after configuring them. and I would like to avoid at all cost to save the cardentials of a service somewhere.

so I'm thinking now that maybe you guys don't want us to use the same service in multiple places.

Do I get correctly that it currently is not clear that the Flags section containing the --clip flag is part of the section on the Init sub-command specifically?

I think we should make some changes to the design that make clearer what belongs together (e.g. more space around this horizontal line dividing the different sub-commands).

I think that a simple solution for all the "what subcommand/flag can I use here"-questions is to provide a bash,zsh,fish compilations ;)

• I wanted to open a different issue for that because this is really needed :P)

from secrethub-cli.