A vault secret to read arbitrary variables from and pass to children

picostack / pico

A Git-driven task runner built to facilitate GitOps and Infrastructure-as-Code while securely passing secrets to tasks.

https://pico.sh

MIT License

54 stars 6 forks source link

A vault secret to read arbitrary variables from and pass to children #46

Closed Southclaws closed 4 years ago

Southclaws commented 4 years ago

This can also be used to solve #24

Essentially, any variables prefixed with PICO_ can be reserved for Pico use, such as PICO_GIT_USERNAME to solve #24

Then, any other variables can just be passed to every future task.

The secret can sit at VAULT_CONFIG_PATH which will default to pico. Along with the default base path, this would place the default config path at /secret/pico which seems logical.

Southclaws commented 4 years ago

Currently, all environment variables from the process are passed to children. This is insecure and can leak information about the host machine into children and reduce the boundary between applications.

This should be disabled and only variables that are prefixed should be passed through (with the prefix stripped).

And the same logic applied to secret stores.

Southclaws commented 4 years ago

The PR for #24 landed but with the names GIT_* instead of PICO_ prefixed.