Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature request] Secure secrets retrieval in .env file #3699

Open
1 task done
sinedied opened this issue Apr 12, 2024 · 1 comment · May be fixed by #4517
Open
1 task done

[Feature request] Secure secrets retrieval in .env file #3699

sinedied opened this issue Apr 12, 2024 · 1 comment · May be fixed by #4517
Assignees
@vhvb1989
Labels
command core security
Milestone
Dec 2024

Comments

@sinedied
Copy link
Member

Output from azd version
azd version 1.8.0 (commit 8246323)

Describe the issue

.env files are often used during development to test/debug an app locally, while connecting to cloud resources. AZD generates such .env files in .azure folder, and allows to retrieve these values with azd env get-values.

The problem is that currently the only way to retrieve secrets such as connection strings or API keys in that .env file is to expose them as output in the Bicep templates, an unsecure practice as these secrets then gets exposed in Azure deployments.

A workaround to that issue is to use Key Vault to store the secrets, but in that case to get these secrets added into the .env for local testing, it complicates things a lot for the users:

  • You have to install AZ CLI in addition to AZD (~1 Go)
  • You have to log in to AZ CLI in addition to AZD
  • You have to create a script that list the the secrets in KV, retrieve them 1 by 1 and add them to .env file. And double that if you need to support both Mac/Linux and Windows

Given that AZD aims to be the main CLI tool for developers, it would make sense to integrate a feature to automatically retrieve secrets from a KV and include them in the generated .env file.

Note: I'm aware that Managed Identity is the best way to avoid handling secrets, but not all services and tools supports them. For example, Azure CosmosDB for MongoDB vCore only supports connection strings, and Azure Database Vs Code extension can only connect to DB using a connection strings.
@rajeshkamal5050 rajeshkamal5050 added this to the Dilithium milestone Apr 18, 2024
@weikanglim
Copy link
Contributor

Inspirationally, I would love if we could tell a story like this for users that are used to environment variables:

export OPENAI_KEY='<secret>' 
azd provision

Or:

# this works just like before,
# the variable is just stored securely for repeatability and automated CI setup 
azd env set --secret OPENAI_KEY='<secret>'
azd provision

@rajeshkamal5050 rajeshkamal5050 modified the milestones: Aug 2024, Sep 2024 Sep 4, 2024
@rajeshkamal5050 rajeshkamal5050 modified the milestones: Sep 2024, Oct 2024 Oct 16, 2024
@rajeshkamal5050 rajeshkamal5050 modified the milestones: Oct 2024, Nov 2024 Oct 30, 2024
@rajeshkamal5050 rajeshkamal5050 modified the milestones: Nov 2024, Dec 2024 Dec 2, 2024
@vhvb1989 vhvb1989 linked a pull request Jan 16, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vhvb1989 vhvb1989

Labels
command core security
Projects
None yet
Milestone
Dec 2024
Development

Successfully merging a pull request may close this issue.

azd env add secret vhvb1989/azure-dev
4 participants
@sinedied @weikanglim @rajeshkamal5050 @vhvb1989