Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Support pluggable Settings Backends and Secrets Backends

See original GitHub issue

Related to pluggable STATE backend discussion:

Migrated from GitLab: https://gitlab.com/meltano/meltano/-/issues/2918

Originally created by @kgpayne on 2021-09-03 09:33:09

Problem to solve

Meltano should support multiple secrets backends so that secret config values can be managed in the same way that general config is.

Meltano provides a convenient, centralised configuration management and injection layer for managing all the tools in the data science workflow. However this doesn’t currently include secret config values such as passwords, tokens and keys. This sensitive data must currently be handled by the user outside of meltano, with secrets being injected at runtime using environment variables. This is both an inconvenience for regular users and a barrier to entry for people new to meltano.

Backends to Prioritize

  • AWS Parameter Store
  • Azure Key Vault

Target audience

  • Users deploying meltano in a production environment.
  • Users who want to get or set setting values and secrets values from an external authority.

Proposal

Yaml for adding an environment-specific parameter store:

# ...
environments:
  dev:
    settings_backend: <plugin-name>
    secrets_backend: <plugin-name>
    # ...
  staging:
    settings_backend: <plugin-name>
    secrets_backend: <plugin-name>
    # ...
  prod:
    settings_backend: <plugin-name>
    secrets_backend: <plugin-name>
    # ...

Resolving settings at runtime (first match wins):

  1. Secrets backend (if set and if kind: password)
  2. Settings backend (if set)
  3. environment variables
  4. .env file (aka dotenv)
  5. systemdb
  6. yaml

Implementation thoughts

  • The secrets backend should be pluggable, to support all the different places secrets can be stored today (AWS Parameter Store, Hashicorp Vault, git-crypt etc.).
  • Meltano should supply a default secrets backend, with either file-based encryption (git-crypt) or its database (with password hashing, ala Airflow).

What does success look like, and how can we measure that?

Users can manage all config through meltano. Security best practices are built-in rather than left as an exercise to the user.

Plugin Commands Required

These commands are required to be declared on any settings_backend or secrets_backend plugin:

  • list_keys - list all keys with values that have been set
  • get_key_value - get a specific key value
  • set_key_value - set a specific key value
  • clear_key_value - clear a specific key value
  • check_key_exists - check if a key exists with a value set

Related but out of scope

Promotion

We’ll want a blog post to go out about this https://github.com/meltano/internal-marketing/issues/530

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:9 (5 by maintainers)

github_iconTop GitHub Comments

1reaction
pandemicsyncommented, Jul 27, 2022

Peeking at https://github.com/apache/airflow/blob/main/airflow/secrets/base_secrets.py#L25:7 and a sample implementation for Hashicorp Vault: https://github.com/apache/airflow/blob/main/airflow/providers/hashicorp/secrets/vault.py

Could we get a quick win by just having the first version of a secrets plugin be one that just essentially wrap’s the Airflow secrets backends in a cli?

1reaction
aaronsteerscommented, Jul 26, 2022

@cjohnhanson - re:

Do we necessarily want to treat secrets that differently than other settings? One approach to this would be to just implement secrets backends as SettingsValueStores.

I’ve been considering the same and I raised the same today to @tayloramurphy. I’m renaming this issue to reflect the backend as a hybrid parameter/setting/secret backend - similar to AWS Parameter Store’s capability of handling Secrets as well as non-secret config options.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Support configuration for pluggable backends and secrets ...
The only way to configure them is via environment variables. This leads to a couple problems: The configuration might need to be different ......
Read more >
Secret Backends - Spring
Spring Cloud Vault supports both Key-Value secret backends, the versioned (v2) and unversioned (v1). The key-value backend allows storage of arbitrary ...
Read more >
Oracle - Database - Secrets Engines | Vault
Oracle is one of the supported plugins for the database secrets engine. This plugin generates database credentials dynamically based on configured roles for ......
Read more >
Native support for pluggable backends in SQLite - SQLite Forum
We have a Data Model stored a xml files, which are run through a "Data Model Compiler" to produce config files for the...
Read more >
Backend storage | Apache SkyWalking
yaml file is that the Secrets Management File is being watched by the OAP server. Once it is changed manually or through a...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Clarify "setting.aliases" behavior - in relation to previous "env_alias"

Next page

Refresh catalog on every invoke (fresh_catalog: true)