harleylang
commented
3 years ago A way that we can strengthen .env is by providing a script that (1) asks for all relevant information (username, password, etc.) and then (2) creates a .env file with those values encrypted. On runtime, the Dockerfile / Docker-Compose would require the decryption key. Potential con: could be a bottle neck for auto-scaling? However, if the image is generated and pulled from elsewhere, this may only be required for the build step.
Consider allowing for non-2FA. Seems really insecure as the full credentials would linger in the container. Then again it's hardly secure anyway there's no access token expiry afaik.