There may be many situations in your implementation where you’d Sometimes you need to use credentials to send an API request or a login to an external database or system. It In terms of security it is essential for the security of your operations to be able to with credentials without making them visible to all to work with sensitive data making it invisible to users and developers.
| Table of Contents |
|---|
Credential definitions
The credentials are expected to be stored in the kbot.conf configuration files, which may exist at . These files might exist on multiple levels, for providing the settings to be a specific to a particular bot instance, or shared between multiple instances. These The configuration files are typically edited by customers , using the in DevOps / > Deployment view:
...
Automatic encryption
When you click on the Apply button, all the passwords and secrets are automatically encrypted. 
The rule is that any variable name ending with _password or _secret is encrypted.
...
Insecure setup
Here is an example of the configuration of a typical configuration data:
| Code Block |
|---|
# App Integration one_app_api = https://one-app.company.com/rest/api/v2/ one_app_authorization = Basic amlyYWlsjflskjdf |
That you may then be able to use in either a Workflow node You can use it in a workflow node (such as the Web Service node), or using python script, for examplein a Python script:
| Code Block |
|---|
headers = {
'Accept': 'application/json',
'Content-Type': 'application/json',
'Authorization': Bot.Bot().GetConfig("jira_authorization")
}
url = Bot.Bot().GetConfig("one_app_api") + "search?username={email}"
response = requests.get(url, headers=headers) |
In the above, this sample your code is not secured in that anyone having . Anyone with access to the back office backoffice could see the authorisation authorization credentials.
...
Basic security setup
By default, the The bot will automatically encrypt in the configuration files encrypts all the variables ending with _password or _secret. So rename Rename your sensitive variables accordingly:
| Code Block |
|---|
# App Integration one_app_api = https://one-app.company.com/rest/api/v2/ one_app_authorization_secret = Basic amlyYWlsjflskjdf |
When saved, the file will then look looks like this:
| Code Block |
|---|
# App Integration one_app_api = https://one-app.company.com/rest/api/v2/ one_app_authorization_secret = JZVf4hamtMf1+WOEBe2X+XG4zRCbD5su+P8FnCo7YutJE2nxSWp7Qq5d9Ycu9qVn= |
Then inside the code, use the GetPasswordConfig to To retrieve the data you need. , use GetPasswordConfig:
| Code Block |
|---|
headers = {
'Accept': 'application/json',
'Content-Type': 'application/json',
'Authorization': Bot.Bot().GetPasswordConfig("jira_authorization_secret")
}
url = Bot.Bot().GetConfig("one_app_api") + "search?username={email}"
response = requests.get(url, headers=headers) |
Pro : Very simple
Con : Password potentially saved in git & once you know the key, you can decrypt them
Environment Security
We can store passwords as an environment variable such as below :
| Code Block |
|---|
elastic_password = VARIABLE::varname |
Better than basic, no password will ever be visible in the backoffice and password will never be saved in git, and only accessible and editable by someone with a vm access
Azure Vault Security
We are using in this strategy an azure vault, we have a documentation page here : /wiki/spaces/DO/pages/3341090877
In our environment code, we will store the credentials using this new method so the secrets are stored in a secured azure security vault, only accessible by the bot, and a few chosen consultants.
| Code Block |
|---|
elastic_password = AZUREKEYVAULT::varname |