Consider supporting token-based authentication #29
Comments
|
Even better, allow the user to provide the access token as an environment variable so that no credentials are exposed in their pipeline code. As a temporary workaround, we can do this for the username and password: // use environment variables
float {
username = "$MMCLOUD_USERNAME"
password = "$MMCLOUD_PASSWORD"
} |
|
You are right. |
|
I just realized yesterday that you could use secrets for this. First use the nextflow CLI to create the secrets: nextflow secrets set MMCLOUD_USERNAME "..."
nextflow secrets set MMCLOUD_PASSWORD "..."Then you can access them in the config file: float {
username = secrets.MMCLOUD_USERNAME
password = secrets.MMCLOUD_PASSWORD
}Nextflow should never expose secrets in the logs. This is something users can do today, I would simply point them to it in the README as a best practice. |
|
Thanks! Let me try this and add them to the README. |
Enable the plugin to read credentials from the environment variable: * MMC_ADDRESS: address of the op center * MMC_USERNAME: login username * MMC_PASSWORD: login password Hide the password in the log. Add samples in the README to illustrate how to input the credentials with NextFlow secrets.
|
I created a PR to hide the password in the log and read the credentials from the ENV. |
Enable the plugin to read credentials from the environment variable: * MMC_ADDRESS: address of the op center * MMC_USERNAME: login username * MMC_PASSWORD: login password Hide the password in the log. Add samples in the README to illustrate how to input the credentials with NextFlow secrets.
Enable the plugin to read credentials from the environment variable: * MMC_ADDRESS: address of the op center * MMC_USERNAME: login username * MMC_PASSWORD: login password Hide the password in the log. Add samples in the README to illustrate how to input the credentials with NextFlow secrets.
|
The support for secrets and env variable is in. But the support for token still needs change in MMC. |
|
MMC will support token in 3.0.1. Add support in the plugin in 0.4.4 |
Currently, you have to provide the username and password to your MM Cloud instance. This is okay for local testing, but I think most Nextflow users will be very hesitant to do this in production, i.e. with Tower, since it's easy for credentials to be leaked and MM Cloud has the ability to create infinite compute resources.
I assume the MemVerge team already has something like this on their roadmap, but I just wanted to put it here for posterity.
Tower uses a personal access token, so you can create a token in Tower with limited permissions and use it in your launch environment. That's one way you could do it in MM Cloud.
The text was updated successfully, but these errors were encountered: