Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Current »

Sometimes you need to use credentials to send an API request or a login to an external system. In terms of security it is essential to work with sensitive data making it invisible to users and developers.

Credential definitions

The credentials are stored in the kbot.conf configuration files. These files might exist on multiple levels, providing the settings to a specific bot instance, or shared between multiple instances. The configuration files are edited by customers in DevOps > Deployment:

Automatic encryption

When you click Apply, all the passwords and secrets are automatically encrypted. The rule is that any variable name ending with _password or _secret is encrypted.

Insecure setup

Here is an example of a typical configuration:

# App Integration
one_app_api = https://one-app.company.com/rest/api/v2/
one_app_authorization = Basic amlyYWlsjflskjdf

You can use it in a workflow node (such as the Web Service node), or in a Python script: 

    headers = {
        'Accept': 'application/json',
        'Content-Type': 'application/json',
        'Authorization': Bot.Bot().GetConfig("jira_authorization")
    }
    url = Bot.Bot().GetConfig("one_app_api") + "search?username={email}"
    response = requests.get(url, headers=headers)

In this sample your code is not secured. Anyone with access to the backoffice could see the authorization credentials.

Basic security setup

The bot automatically encrypts all the variables ending with _password or _secret. Rename your sensitive variables accordingly:

# App Integration
one_app_api = https://one-app.company.com/rest/api/v2/
one_app_authorization_secret = Basic amlyYWlsjflskjdf

When saved, the file looks like this: 

# App Integration
one_app_api = https://one-app.company.com/rest/api/v2/
one_app_authorization_secret = JZVf4hamtMf1+WOEBe2X+XG4zRCbD5su+P8FnCo7YutJE2nxSWp7Qq5d9Ycu9qVn=

To retrieve the data you need, use GetPasswordConfig:

    headers = {
        'Accept': 'application/json',
        'Content-Type': 'application/json',
        'Authorization': Bot.Bot().GetPasswordConfig("jira_authorization_secret")
    }
    url = Bot.Bot().GetConfig("one_app_api") + "search?username={email}"
    response = requests.get(url, headers=headers)

Pro : Very simple

Con : Password potentially saved in git & once you know the key, you can decrypt them

Environment Security

We can store passwords as an environment variable such as below : 

elastic_password = VARIABLE::varname

Better than basic, no password will ever be visible in the backoffice and password will never be saved in git, and only accessible and editable by someone with a vm access

Azure Vault Security

We are using in this strategy an azure vault, we have a documentation page here : /wiki/spaces/DO/pages/3341090877

In our environment code, we will store the credentials using this new method so the secrets are stored in a secured azure security vault, only accessible by the bot.

elastic_password = AZUREKEYVAULT::varname

  • No labels