feat: Allow users to specify output type and encrypt value

kestra-io / libs

3 stars 4 forks source link

feat: Allow users to specify output type and encrypt value #5

Open aballiet opened 7 months ago

aballiet commented 7 months ago

Currently there is no way to output a secret value from a python script.

Users could use Python script to retrieve token value (like a temporary GitHub or any external system) not handled by plugins.

Implementation could look like :

Kestra.outputs({
  myOutput: {
    type: "io.kestra.datatype:aes_encrypted",
    value: "yourAESEncryptedValue"
  }
})

In order to encrypt, an encrypt function should be available, similar to the pebble one

brian-mulier-p commented 7 months ago

To add to this and as discussed, I think the ideal syntax is:

myOutputValue = "someComplicatedString"
Kestra.outputs({
  myOutput: Kestra.encrypt(myOutputValue)
})

brian-mulier-p commented 7 months ago

We could parse the logs before sending it to Kestra logger with the DefaultLogConsumer (and encrypt values that needs to) but it would still have them in the container logs so I believe we should send the encryption key to the python process and do the AES encryption within it...

aballiet commented 7 months ago

We could parse the logs before sending it to Kestra logger with the DefaultLogConsumer (and encrypt values that needs to) but it would still have them in the container logs so I believe we should send the encryption key to the python process and do the AES encryption within it...

Should be available through env variables

brian-mulier-p commented 7 months ago

I'm unsure about security around this as it means any user could just print the key and it would be a security failure I think :thinking: