search

Infisical / infisical

♾ Infisical is the open-source secret management platform: Sync secrets across your team/infrastructure, prevent secret leaks, and manage internal PKI
https://infisical.com
Other
13.16k stars 698 forks source link

[ENG-152] Secret dependency #1049

Open zifeo opened 9 months ago

zifeo commented 9 months ago

Feature description

Ability to sync or inherit secrets between projects.

Why would it be useful?

Sometimes "global" secrets (think of a certificate signing some apps) must be shared between projects (think app A and app B signed by the same certificate). Currently the CI cannot use a service account to access 2 projects, thus a way to embedded those global secrets and keep them in sync is important.

Additional context

An alternativement implement could be to have service account like a user and use a secret aggregators like lade.

From SyncLinear.com | ENG-152

Grraahaam commented 9 months ago

Hey @zifeo !

Might be related : https://infisical.com/docs/documentation/platform/secret-reference#referencing-syntax And discussed here : https://github.com/Infisical/infisical/issues/32

Would that fit to your current use case?

Cheers

zifeo commented 9 months ago

@Grraahaam does that support referring a secret into another project?

Grraahaam commented 9 months ago

@Grraahaam does that support referring a secret into another project?

TL;DR I don't think it can refers secret from another "project", but it can from an other "folder" 🤷🏽‍♂️

Then it'll depend on how you've structured you're secrets. Take a look at the syntax its pretty straightforward :

So if you want sub-services to be able to use referenced secrets you'll have to structure it like (in a single project tho) :

Your PR is about "project" secrets referencing, so it is different (while providing the same kind of feature at the "folder" level)

I just wanted to highlight the fact that a similar case have already been discussed earlier, if ever it could help people bumping into this issue :v:

Cheers 🤙🏽

zifeo commented 9 months ago

@Grraahaam thanks, however we sadly need different projects as team members might not all have the same permissions (yet still all the access to the shared secrets). Happy to close in favour of the previous request if the use case is equivalent.

ohmydevops commented 7 months ago

Same here, I used another approach for this problem and it works.

zifeo commented 7 months ago

@ohmydevops What approach did you use?

Emiliaaah commented 6 months ago

In our environment this would be a pretty critical feature. Having the option to reference things like smtp credentials in multiple projects would make managing them all a lot easier, since you wouldn't have to update them for every project. This would stop the need for changing the credentials in 10 different projects, since you can just update them once.

Which also gives you better overview, since you no longer have to figure out which one is the newest version.