Sometimes you need to use credentials to send an API request or a login to an external system. In terms of security it is essential to work with sensitive data making it invisible to users and developers.
Credential definitions
The credentials are stored in the kbot.conf
configuration files. These files might exist on multiple levels, providing the settings to a specific bot instance, or shared between multiple instances. The configuration files are edited by customers in DevOps > Deployment:
Automatic encryption
When you click Apply, all the passwords and secrets are automatically encrypted. The rule is that any variable name ending with _password
or _secret
is encrypted.
Insecure setup
Here is an example of a typical configuration:
# App Integration one_app_api = https://one-app.company.com/rest/api/v2/ one_app_authorization = Basic amlyYWlsjflskjdf
You can use it in a workflow node (such as the Web Service node), or in a Python script:
headers = { 'Accept': 'application/json', 'Content-Type': 'application/json', 'Authorization': Bot.Bot().GetConfig("jira_authorization") } url = Bot.Bot().GetConfig("one_app_api") + "search?username={email}" response = requests.get(url, headers=headers)
In this sample your code is not secured. Anyone with access to the backoffice could see the authorization credentials.
Basic security setup
The bot automatically encrypts all the variables ending with _password
or _secret
. Rename your sensitive variables accordingly:
# App Integration one_app_api = https://one-app.company.com/rest/api/v2/ one_app_authorization_secret = Basic amlyYWlsjflskjdf
When saved, the file looks like this:
# App Integration one_app_api = https://one-app.company.com/rest/api/v2/ one_app_authorization_secret = JZVf4hamtMf1+WOEBe2X+XG4zRCbD5su+P8FnCo7YutJE2nxSWp7Qq5d9Ycu9qVn=
To retrieve the data you need, use GetPasswordConfig
:
headers = { 'Accept': 'application/json', 'Content-Type': 'application/json', 'Authorization': Bot.Bot().GetPasswordConfig("jira_authorization_secret") } url = Bot.Bot().GetConfig("one_app_api") + "search?username={email}" response = requests.get(url, headers=headers)
Pro : simple
con : password potentially saved in git & once you know the key, you can decrypt them