Closed flickerfly closed 4 years ago
zhill
commented
4 years ago Thanks @flickerfly for reaching out. So I understand, you're trying to use the CLI config file: https://docs.anchore.com/current/docs/installation/anchore_cli/cli_config/ and finding that the $HOME lookup isn't working? The normal locations is ~/.anchore/credentials.yaml , but you need it to be customized, correct?
flickerfly
commented
4 years ago Yes, nailed it! :-)
I envision this being used in 2 ways:
ANCHORE_CLI_CONFIG=/my/config/path.yaml would be my ideal way to identify the location of the config for my purposes, but if it isn't too big a deal, I bet someone else would appreciate the option to pass it as an argument to the CLI. Maybe, anchore-cli -c /my/config/path.yaml.
zhill
commented
4 years ago I agree, once it's configurable a command option or env variable both should be available for it. Great. I've put this on the backlog for the next release. I'm also happy to help with a PR if you're interested in contributing :smiley:
flickerfly
commented
4 years ago Looks like https://github.com/anchore/anchore-cli/blob/master/anchorecli/cli/utils.py is where the changes need to happen.
Move line 66-122 up to 40. Add ANCHORE_CLI_CONFIG to line 67 and then an if settings['ANCHORE_CLI_CONFIG'] below try: at line 41 to set credential_file else set the default value. Then setup the cli_opts glue to deal with the command argument version and set the usage stuff in _init_.py
Does that pretty much cover it?
I run anchore cli in a container via Jenkins. Currently, I mount a volume to the container with the env variables to avoid having the password be in the open as much as possible, but this still means that I have to
source $configfileto load the variables and my password is loaded into the session as a cleartext env. At this point, if some debug dumps env it'll expose the password. Of course, other things can also happen to expose this.It would protect my password a bit more if I could simply pass anchore-cli a config file that had the URL, Password, username and the like in it. Then it would never be a part of the session, only the location of the file and someone would need to gain some terminal access to the container in order to expose that information which is easier for me to protect versus dumping info into the logs.
There are some technical reasons in my deployment which complicate me from using the $HOME variable as my location for the config which is why this would be made much easier if the config location was dynamic.