-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add keyvault reference feature on apps environment variables #43
Comments
@julienbourgoin-maif ,
Is this helpful to you? |
[like] Zhishou Zhang reacted to your message:
…________________________________
From: Zhiyong Li ***@***.***>
Sent: Thursday, May 18, 2023 10:58:08 AM
To: Azure/Azure-Spring-Apps ***@***.***>
Cc: Subscribed ***@***.***>
Subject: Re: [Azure/Azure-Spring-Apps] Add keyvault reference feature on apps environment variables (Issue #43)
@julienbourgoin-maif<https://github.com/julienbourgoin-maif> ,
We are planning a similar feature maybe help you in this case, it is about separate roles to define a resource ( operator ) and use the resource in deployment ( deployer ).
1. For operator, there will be a new resource type in ASA, by which a operator can define a new resource, like to give the resource type APM, input the details like DT_TENANTTOKEN and name it as dynatrace.
2. For deployer, during deployment, the deployer can simply deploy the app with apm-ref=dynatrace to triggered the deployment, without the details of the APM dynatrace.
Is this helpful to you?
—
Reply to this email directly, view it on GitHub<#43 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AOE2PSBAB3DXFFCCYBMXKSTXGX6EBANCNFSM6AAAAAAWT3Q4ZM>.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
Hi @showpune, |
Thanks @showpune, I didn't noticed this new feature. Even if we could, it does respond only to a part of the initial problem: Keyvault references was for me a good option as I could put the values into a keyvault that only a few people have access to. |
Another thing to keep in mind too, is that even if you use the APM configuration at the service level, people with the 'Azure Spring Apps Connect Role' will still have access to the environment variables given to each app from the APM configuration. Regards |
Is your feature request related to a problem? Please describe.
My dev Azure Spring Apps service is used by multiple people, mostly developers.
As this service instance is not a production one, I gave to developers more permissions, for example the ability to read and modify the environment variables on apps.
That means that every developers can see the environments variables values on every apps on this service instance.
In most cases, it is not a problem as developers should be aware of the environments variables which are given to their apps.
But, some of these variables should stay hidden, even for the developers.
A good example is the DT_TENANTTOKEN one.
As we are using dynatrace integration, we need to give this secret to the app with an environment variable, but, by doing this, the value is visible by every developer, but they are not concerned by this value.
Describe the solution you'd like
Adding the feature "KeyvaultReference" as it exists on app service may prevent people to see the environment value, as it may be stored in a keyvault on which they won't have access, but the app identity will !
Describe the Customer Impact
Either give access to environment variable to peoples and leaks some secrets they should not known,
either don't give them access to environment variable to prevent secret leaks, but it is not acceptable for us because developers needs to have access to this kind of informations on their apps
The text was updated successfully, but these errors were encountered: