search

broadinstitute / cromwell-tools

A collection of Python clients and accessory scripts for interacting with the Cromwell
https://cromwell-tools.readthedocs.io
BSD 3-Clause "New" or "Revised" License
22 stars 9 forks source link

[Discussion] Whether to support storing credentials locally #74

Open rexwangcc opened 5 years ago

rexwangcc commented 5 years ago

Right now each time you run the cromwell-tools command, it's required to pass in the auth params, such as --username, --password and --service-account-key, it has been a burden to users, since it is too much to type when you just wanna abort a workflow but you have to:

cromwell-tools abort \
--url xxx \
--username xxx \
---password xxx \
UUID

Some other CLI tools, such as aws, gsutilor kubectl are supporting caching the credentials under ~/.aws or ~/.config, so that you could leverage xxx auth select or xxx config use-credentials to switch between stored credentials/roles. It would somehow make the tool less secure, but incredibly help improve the user-friendliness. This issue serves as a discussion area to talk if we should add that feature in cromwell-tools, which will cover some commands like:

ambrosejcarr commented 5 years ago

It would somehow make the tool less secure

I'm not sure I agree; I think caching credentials locally as you suggest reduces the likelihood that someone checks in a script somewhere with credential strings as required:

cromwell-tools abort \ --url xxx \ --username xxx \ ---password xxx \ UUID

I like the approach taken by aws/gcp that you suggest above. Suggest implementing 👍