search

influxdata / telegraf

Agent for collecting, processing, aggregating, and writing metrics, logs, and other arbitrary data.
https://influxdata.com/telegraf
MIT License
14.6k stars 5.57k forks source link

Require a password to be entered when revealing secrets for the secretstores.os #12661

Closed jackbenimble999 closed 1 year ago

jackbenimble999 commented 1 year ago

Use Case

For security reasons, please add the capability to have a password required to view the contents of the secret store for secretstores.os.

Expected behavior

  1. telegraf --config telegraf_mqtt_to_influxdb_standalone.conf secrets list --reveal-secret os_secrets
  2. Enter password:

Actual behavior

  1. telegraf --config telegraf_mqtt_to_influxdb_standalone.conf secrets list --reveal-secret os_secrets
  2. secrets are shown

Additional info

[[secretstores.os]] id = "os_secrets"

[[inputs.mqtt_consumer]] servers = ["tcp://127.0.0.1:1883"] topics = [ "influxtopic/#", ] qos = 2 max_undelivered_messages = 1000 persistent_session = true client_id = "InfluxDataStandalone" username = "admin" password = "@{os_secrets:my_secret_password}" data_format = "influx"

[[outputs.influxdb_v2]] urls = ["http://127.0.0.1:8086"] token = "@{os_secrets:my_secret_token}" organization = "MY_ORK" bucket = "events"

srebhan commented 1 year ago

This is totally out of scope for Telegraf. The secretstores.os plugin uses the operating system's implementation, i.e. Linux kernel keyring, Windows Credential Manager or MacOS' Keychain, depending on the OS. Those operating systems DO NOT require passwords, so there is no way to add a password there!

You can use secretstores.jose to provide a persistent, password-protected secret-store.

Closing as this is not in the hands of Telegraf and will never be.