A vault secret to read arbitrary variables from and pass to children #46
Comments
|
Currently, all environment variables from the process are passed to children. This is insecure and can leak information about the host machine into children and reduce the boundary between applications. This should be disabled and only variables that are prefixed should be passed through (with the prefix stripped). And the same logic applied to secret stores. |
|
The PR for #24 landed but with the names |
Southclaws
added a commit
that referenced
this issue
Mar 23, 2020
Adds a new option: pass-env, which when true will pass the pico process environment to children. Defaults to false to promote separation of environments. Adds support for passing prefixed variables from the global Pico. The prefix is GLOBAL_ and is not configurable because I felt the config flags are growing. Adds some better unit tests for execution config and environment merging.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This can also be used to solve #24
Essentially, any variables prefixed with
PICO_can be reserved for Pico use, such asPICO_GIT_USERNAMEto solve #24Then, any other variables can just be passed to every future task.
The secret can sit at
VAULT_CONFIG_PATHwhich will default topico. Along with the default base path, this would place the default config path at/secret/picowhich seems logical.The text was updated successfully, but these errors were encountered: