Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

There may be many situations in your implementation where you’d Sometimes you need to use credentials to send an API request or a login to an external database or system. It In terms of security it is essential for the security of your operations to be able to with credentials without making them visible to all to work with sensitive data making it invisible to users and developers.

Table of Contents

Credential definitions

The credentials are expected to be stored in the kbot.conf configuration files, which may exist at . These files might exist on multiple levels, for providing the settings to be a specific to a particular bot instance, or shared between multiple instances. These The configuration files are typically edited by customers , using the in DevOps / > Deployment view:

...

Automatic encryption

When you click on the Apply button, all the passwords and secrets are automatically encrypted. (question) The rule is that any variable name ending with _password or _secret is encrypted.

...

...

Insecure setup

Here is an example of the configuration of a typical configuration data:

Code Block
# App Integration
one_app_api = https://one-app.company.com/rest/api/v2/
one_app_authorization = Basic amlyYWlsjflskjdf

That you may then be able to use in either a Workflow node You can use it in a workflow node (such as the Web Service node), or using python script, for examplein a Python script:

Code Block
    headers = {
        'Accept': 'application/json',
        'Content-Type': 'application/json',
        'Authorization': Bot.Bot().GetConfig("jira_authorization")
    }
    url = Bot.Bot().GetConfig("one_app_api") + "search?username={email}"
    response = requests.get(url, headers=headers)

In the above, this sample your code is not secured in that anyone having . Anyone with access to the back office backoffice could see the authorisation authorization credentials.

...

Basic security setup

By default, the The bot will automatically encryp in the configuration files encrypts all the variables ending with _password or _secret. So rename Rename your sensitive variables accordingly:

Code Block
# App Integration
one_app_api = https://one-app.company.com/rest/api/v2/
one_app_authorization_secret = Basic amlyYWlsjflskjdf

When saved, the file will then look looks like this:

Code Block
# App Integration
one_app_api = https://one-app.company.com/rest/api/v2/
one_app_authorization_secret = JZVf4hamtMf1+WOEBe2X+XG4zRCbD5su+P8FnCo7YutJE2nxSWp7Qq5d9Ycu9qVn=

Then inside the code, use the GetSecretConfig to To retrieve the data you need. , use GetPasswordConfig:

Code Block
    headers = {
        'Accept': 'application/json',
        'Content-Type': 'application/json',
        'Authorization': Bot.Bot().GetSecretConfigGetPasswordConfig("jira_authorization_secret")
    }
    url = Bot.Bot().GetConfig("one_app_api") + "search?username={email}"
    response = requests.get(url, headers=headers)

Pro : Very simple

Con : Password potentially saved in git & once you know the key, you can decrypt them

Environment Security

We can store passwords as an environment variable such as below :

Code Block
elastic_password = VARIABLE::varname

Better than basic, no password will ever be visible in the backoffice and password will never be saved in git, and only accessible and editable by someone with a vm access

Azure Vault Security

We are using in this strategy an azure vault, we have a documentation page here : /wiki/spaces/DO/pages/3341090877

In our environment code, we will store the credentials using this new method so the secrets are stored in a secured azure security vault, only accessible by the bot, and a few chosen consultants.

Code Block
elastic_password = AZUREKEYVAULT::varname