Open jkroepke opened 1 year ago
A proper fix for this is actually going to be hard to do. However, we could probably add a flag to disable the source pretty-printer until we have the capacity to implement a proper fix.
Alternatively, we could discourage hard-coding secrets into the config, and encourage using env
or another component instead to retrieve those secrets.
It's really hard to define environment variables on Windows system.
It only possible to define variables on computer context (which would expose the secrets on all users) or to the user context. On this case, I had no idea to define environment variable for the SYSTEM user.
However, if put the password on a file and remove all restriction from the directory that only admins can read it, that feels more safe then using environment variables.
Regardless I agree it's surprising behavior. I would still be fine with a flag to disable the pretty-printer so the source doesn't get shown in logs.
Regardless I agree it's surprising behavior.
Not sure, but also on linux system, the /etc
directory contains a lot of files with password. Even the environment files for systems are living in /etc.
I know, on containers env variables are the way to go, but on classical virtual machine deployments, its a bit different.
I know I mentioned environment variables, but I personally prefer files, either via loading them using local.file
or by using the appropriate password_file
argument. One reason to do that is to allow the file contents to change at runtime and not need to restart the process (like you would need to when changing environment variables)
Are local variables planned for river? In that case, this would also mitigate the issue here.
@jkroepke Not with that exact implementation, but grafana/alloy#154 would be the equivalent behavior to Terraform's locals block.
What's wrong?
If an http.remote contains credentials, and the connection failed on start. then whole module with all properties are visible in the log which can cause a credentials leak
Steps to reproduce
System information
Windows
Software version
Grafana Agent v0.34.5
Configuration
Logs