Open joshuacullenlux opened 1 year ago
Thanks for raising this @joshuacullenlux - @andre5oto is working on understanding the design for this and thus effort involved in future roadmap.
Appreciate all the 👍’s. @joshuacullenlux and community, we are putting together a requirements doc and use cases like this are very helpful. We have identified and are considering focal points in our approach to delineate these capabilities for the deploy
and operate
app permissions:
Separate capabilities to push code and read/write config vars
Separate capabilities to push code and manage non-paid Add-ons
Separate capabilities to view/manage logs and read/write config vars
Please tell us what you think about this approach? Let us know if there are other use cases we should consider.
We're also quite worried about this, in a context of API tokens stored in CI - see my comment on Access Tokens v2.
A limited deployer role also shouldn't be able to read config vars, otherwise they can just get database access through the DATABASE_URL
provided by Postgres addon. And of course they shouldn't be allowed heroku exec
(since the app execution context naturally has access to all of these).
We're doing container deploys (heroku container:push
), can you please ensure that's accounted for under the "release" use case?
I would consider this a baseline feature for Heroku users, rather than having essential security locked away in Heroku Enterprise.
Update: we have begun internal testing on a feature to mask sensitive config var values for Heroku PG and Redis add-ons. We will be introducing a pilot soon where customer can participate and test this feature.
Limited pilot announced in #24 for Write-Only Config Vars to solve for this issue. Sign up form included.
Required Terms
What service(s) is this request for?
Security, Postgres, Addons
Tell us about what you're trying to solve. What challenges are you facing?