the value is printed while doing a "get"

[hriprsd]

When I try to get a value from consul, the entire value is printed in the pipeline. i.e anyone can view it from the concourse-ui
Sample pipeline:

resources:

• name: config
  type: consul-kv
  source:
  token: my-acl-token
  host: my-consul.com
  tls_cert: my-cert-string
  tls_key: my-cert-key-string
  key: my/key

jobs:

• name: get-my-consul-key
  plan:
  • get: config

UI Output:

This enables anyone (even without access to consul) can view the KV stored in the concourse ui

[mdb]

@hriprsd I believe this is a duplicate of issue #12, which I don't believe is a valid issue.

This enables anyone (even without access to consul) can view the KV stored in the concourse ui

☝️ Regarding this point, I believe this is not entirely accurate, IIUC. I believe it's more accurate to say this allows anyone with an RBAC role that grants them viewing access to view the K/V via the Concourse UI. Furthermore, this is also true of any other Concourse resource whose metadata is surfaced to Concourse.

As I asked in issue #12 ...

Are you suggesting that concourse-consul-kv-resource prints the values of the Consul k/v pairs it tracks? If so, that is expected, no? If the k/v pairs are secrets, I would think they should be stored in a proper secrets manager, such as Vault and not fetched directly via the concourse-consul-kv-resource. Or am I misinterpreting?

☝️ Does this seem reasonable? Or am I mistaken or misunderstanding your use-case?

[hriprsd]

Hey!. Thanks for your response. The config should not have secrets - correct. But maybe a config has some endpoints etc which i don't want others(other teams) to know. I might be taking of a one off case but can that possibility be considered please? Am new to all this, my question might be silly, please excuse. - hriprsd

…

On Mon, 8 Feb, 2021, 19:31 Mike Ball, ***@***.***> wrote: @hriprsd <https://github.com/hriprsd> I believe this is a duplicate of issue #12 <#12>, which I don't *believe* is a valid issue. This enables anyone (even without access to consul) can view the KV stored in the concourse ui ☝️ Regarding this point, I *believe* this is not entirely accurate, IIUC. I believe it's more accurate to say this allows anyone with an RBAC role that grants them viewing access <https://concourse-ci.org/user-roles.html> to view the K/V via the Concourse UI. Furthermore, this is *also* true of any other Concourse resource whose metadata is surfaced to Concourse. As I asked in issue #12 <#12> ... Are you suggesting that concourse-consul-kv-resource prints the values of the Consul k/v pairs it tracks? If so, that is expected, no? If the k/v pairs are secrets, I would think they should be stored in a proper secrets manager, such as Vault <https://www.vaultproject.io/> and not fetched directly via the concourse-consul-kv-resource. Or am I misinterpreting? ☝️ Does this seem reasonable? Or am I mistaken or misunderstanding your use-case? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#13 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AFPAKL5VXIYEX3OCTTSSOR3S57VEFANCNFSM4XENOOUA> .