Skip to content

Support encrypted backends for credentials #147

New issue
New issue
Open
Open
Support encrypted backends for credentials#147
Labels
credentialscredentials related issuedocumentationImprovements or additions to documentationenhancementNew feature or request
@cletomartin

Description

@cletomartin
cletomartin
opened on Jan 26, 2023

Overview

The ~/.credentials could be improved for supporting different back-end alternatives. This would be very useful for local testing where users will not need to store credentials in plain text on disk

Requirements

  • Support, at least, 1password as an alternative back-end for these credentials file.
  • Make it easy to extend for other types of back-ends.
  • Do not break current default behaviour. Make all this feature optional

Approach

  • Extend compliance/utils/credentials.py so that it supports multiple backends. The default behaviour should be the current local file.
  • 1password backend: users could use the Auditree configuration to specify the type of the backend they want to use. For example:
"creds": {
  "backend": "1password",
  "domain": "my-domain"
}

In this case, Auditree will wait for an auditree vault in 1password (this vault name can be part of the config too) which will contain the credentials with the following schema:

  • Name of sections of the credentials file will match with the name of a secure note.
  • Each section key/value of the credentials file will be a field in the secure note.

For example: creds['aws'].username will be searched at op://auditree/aws/username

Test Plan

No configuration provided should keep the same behaviour so far.

Metadata

Metadata

Assignees

No one assigned

    Labels

    credentialscredentials related issuedocumentationImprovements or additions to documentationenhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions