search

taers232c / GAMADV-XTD3

Command line tool to manage Google Workspace
732 stars 86 forks source link

Protect Secrets #161

Closed CzechJiri closed 1 year ago

CzechJiri commented 3 years ago

Currently, all secrets in files client_secrets.json, oauth2.txt and oauth2service.json are unprotected

it would be worth trying to create a pluggable option for storing the sensitive values of these files securely (keyring, hashicorp vault, local gpg decryption, ...) without the unencrypted content touching the disk

taers232c commented 3 years ago

Jiri,

Jay has added YubiKey support to his version, it's on my todo list.

Ross

On Tue, Jun 15, 2021 at 4:11 PM Jiri @.***> wrote:

Currently, all secrets in files client_secrets.json, oauth2.txt and oauth2service.json are unprotected

it would be worth trying to create a pluggable option for storing the sensitive values of these files securely (keyring, hashicorp vault, local gpg decryption, ...) without the unencrypted content touching the disk

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/taers232c/GAMADV-XTD3/issues/161, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYL4EXCECLSM3WBTGL6DTS7M3LANCNFSM46YGTHBA .

-- Ross Scroggs @.***

CzechJiri commented 3 years ago

thank you!

Better something than nothing... this won't help in centrally managed GAM environments (we keep execution very controlled and audited), I wish Jay would make this component plugable

taers232c commented 3 years ago

Jiri,

What do you mean by "make this component plugable"?

Send me a Meet/Zoom invitation if you'd like to discuss.

Ross

On Mon, Jun 21, 2021 at 10:31 AM Jiri @.***> wrote:

thank you!

Better something than nothing... this won't help in centrally managed GAM environments (we keep execution very controlled and audited), I wish Jay would make this component plugable

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/taers232c/GAMADV-XTD3/issues/161#issuecomment-865217368, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACCTYL75KBQIII4F4UCZILLTT5ZPPANCNFSM46YGTHBA .

-- Ross Scroggs @.***

richardwadsworth commented 3 years ago

Hi @taers232c . Plus one on this request please.

By "make this component pluggable" I believe @CzechJiri means "to be able to choose which secrets management solution to store the secrets in" and the choice could be a configuration setting in gam.config.

It would be a huge security win to be able to store the secrets in a key vault such as GCP Secret Manager, AWS Key Management Service or Azure KeyVault.

The option to use the existing "plain text file" secret storage (e.g client_secrets.json, oauth2.txt and oauth2service.json) could remain but a choice to use more secure secrets management solution would be a win.

taers232c commented 3 years ago

Richard,

Send me a Meet/Zoom invitation to discuss

Ross

richardwadsworth commented 3 years ago

So after discussion with Ross, I understand that it is the Python SDK that is reading and writing to the oauth2.txt file. Not the GAM code. So if there is a fix it will be via the Python SDK.

NoSubstitute commented 2 years ago

@richardwadsworth & @CzechJiri - did you look into this further on your own?