rachhouse
commented
10 months ago Hi @SashiDareddy, thanks for surfacing this issue! We've captured it for review.
Open SashiDareddy opened 10 months ago
rachhouse
commented
10 months ago Hi @SashiDareddy, thanks for surfacing this issue! We've captured it for review.
Describe the bug In How to configure credentials using secrets manager we are told that if we add a prefix such as
secret|<url to Azure Key Vault identifier >then Gx can retrieve the connection string stored in Azure Key Vault [AKV].In GX
0.15.34I could passsecret|https://my-vault-name.vault.azure.net/secrets/my-secretas my connection string (here my-secret refers to a Postgres connection string) in the YAML (to be clear thegreat_expectations.ymlcontained the connection string pointing to the literal valuesecret|https://my-vault-name.vault.azure.net/secrets/my-secretand it worked exactly as the document linked above said it would. Every time we run a profiling task GX would call the Azure Key Vault and fetch the secure string.This is also how it worked in
0.16.14- however in the latest version0.17.15the GX is now replacing the literal valuesecret|https://my-vault-name.vault.azure.net/secrets/my-secretwith the actual connection string in great_expectation.yml file which is a big security risk as the users will be under the impression that even if someone manages to get hold of the great_expectation.yml file all they would see issecret|https://my-vault-name.vault.azure.net/secrets/my-secretbut this is appears no longer to be the case.In the past I had raised a related issue with regards to secret substituition: Variable Substitution not working with Secret Managers (Azure Key Vault) #8034 this no longer appears to be an issue in
0.17.15I wonder if someone tried to fix the issue described earlier and inadvertantly introduced a bug which exposes the raw connection string fetched from Azure Key Vault.To Reproduce Try adding a SQL data source where you provide the connection string as secret| eg:
secret|https://my-vault-name.vault.azure.net/secrets/my-secret. You will notice that thegreat_expectation.ymlwill hold the raw connection string instead of the literal valuesecret|https://my-vault-name.vault.azure.net/secrets/my-secretExpected behavior If a user provides a secret manager variable such as
secret|https://my-vault-name.vault.azure.net/secrets/my-secretGX should retain this in the great_expectation.yml. It must query the secrets manager to fetch the secure string at runtime every time it needs - just like it used to be the case GX 0.15.x versions.Environment (please complete the following information):