search

canonical / s3-integrator

An integrator charm for handling s3 credentials
https://charmhub.io/s3-integrator
Apache License 2.0
2 stars 2 forks source link

Add config options for access-key, secret-key #76

Closed sed-i closed 1 week ago

sed-i commented 2 weeks ago

Problem

For COS we're now using s3-integrator in all deployments. With terraform, running actions on a deployment is a bit involved.

Solution

Add config options for access-key, secret-key. Since the secrets are already stored in reldata, not much additional harm having them also in the config. Fixes #62.

Side-effect

Since we can now have credentials from two sources (action, config), the new logic introduced in this PR has a new side effect: even when the config options are cleared via

juju config s3i access-key= secret-key=
# or
juju config s3i --reset access-key,secret-key

the credentials still stay in app data. To clear app data after config values were cleared, we'd need to follow-up with the action,

juju run s3i/0 sync-s3-credentials access-key= secret-key=
delgod commented 1 week ago

Hi Leon,

It is an intentional design choice not to have access and secret keys as config values because this approach is not secure. Please contact Jon if you have any concerns about insecure config options.

On the other hand, we cannot move to user secrets yet because we need to support Juju 2.9 deployments. Our intent is to eventually add s3 interface support to object-storage-integrator and use it on Juju 3+ deployments.

sed-i commented 1 week ago

Hi @delgod, Not sure what you mean. Yes, secrets as config options are not great, but this charm is already leaking same secrets over peer relation. I.e., afaiu, the secrets are cleartext via juju show-unit already.