Versions Compared

Old Version 1

changes.mady.by.user Amedee Potier

Saved on

compared with

New Version Current

changes.mady.by.user Thibaut Moinecourt (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

There may be many situations in your implementation where you’d Sometimes you need to use credentials to send an API request or a login to an external database or system. It In terms of security it is essential for the security of your operations to be able to with credentials without making them visible to all users and developers.

...

to work with sensitive data making it invisible to users and developers.

Table of Contents

Credential definitions

The credentials are stored in the kbot.conf configuration files. These files might exist on multiple levels, providing the settings to a specific bot instance, or shared between multiple instances. The configuration files are edited by customers in DevOps > Deployment:

...

Automatic encryption

When you click Apply, all the passwords and secrets are automatically encrypted. The rule is that any variable name ending with _password or _secret is encrypted.

...

Insecure setup

Here is an example of the configuration of a typical configuration data:

Code Block
# App Integration
one_app_api = https://one-app.company.com/rest/api/v2/
one_app_authorization = Basic amlyYWlsjflskjdf

That you may then be able to use in either a Workflow node You can use it in a workflow node (such as the Web Service node), or using python script, for examplein a Python script:

Code Block
    headers = {
        'Accept': 'application/json',
        'Content-Type': 'application/json',
        'Authorization': Bot.Bot().GetConfig("jira_authorization")
    }
    url = Bot.Bot().GetConfig("one_app_api") + "search?username={email}"
    response = requests.get(url, headers=headers)

In the above, this sample your code is not secured in that anyone having . Anyone with access to the back office backoffice could see the authorisation authorization credentials.

...

Basic security setup

By default, the The bot will automatically encryp in the configuration files encrypts all the variables ending with _password or _secret. So rename Rename your sensitive variables accordingly:

Code Block
# App Integration
one_app_api = https://one-app.company.com/rest/api/v2/
one_app_authorization_secret = Basic amlyYWlsjflskjdf

When saved, the file will then look looks like this:

Code Block
# App Integration
one_app_api = https://one-app.company.com/rest/api/v2/
one_app_authorization_secret = JZVf4hamtMf1+WOEBe2X+XG4zRCbD5su+P8FnCo7YutJE2nxSWp7Qq5d9Ycu9qVn=

Then inside the code, use the GetSecretConfig to To retrieve the data you need. , use GetPasswordConfig:

Code Block
    headers = {
        'Accept': 'application/json',
        'Content-Type': 'application/json',
        'Authorization': Bot.Bot().GetSecretConfigGetPasswordConfig("jira_authorization_secret")
    }
    url = Bot.Bot().GetConfig("one_app_api") + "search?username={email}"
    response = requests.get(url, headers=headers)

Pro : Very simple

Con : Password potentially saved in git & once you know the key, you can decrypt them

Environment Security

We can store passwords as an environment variable such as below :

Code Block
elastic_password = VARIABLE::varname

Better than basic, no password will ever be visible in the backoffice and password will never be saved in git, and only accessible and editable by someone with a vm access

Azure Vault Security

We are using in this strategy an azure vault, we have a documentation page here : /wiki/spaces/DO/pages/3341090877

In our environment code, we will store the credentials using this new method so the secrets are stored in a secured azure security vault, only accessible by the bot, and a few chosen consultants.

Code Block
elastic_password = AZUREKEYVAULT::varname