Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Allow users to specify output type and encrypt value #5

Open
aballiet opened this issue Apr 12, 2024 · 4 comments
Open

feat: Allow users to specify output type and encrypt value #5

aballiet opened this issue Apr 12, 2024 · 4 comments
Labels
kind/pending-feedback Idea waiting for user feedback

Comments

@aballiet
Copy link

Currently there is no way to output a secret value from a python script.

Users could use Python script to retrieve token value (like a temporary GitHub or any external system) not handled by plugins.

Implementation could look like :

Kestra.outputs({
  myOutput: {
    type: "io.kestra.datatype:aes_encrypted",
    value: "yourAESEncryptedValue"
  }
})

In order to encrypt, an encrypt function should be available, similar to the pebble one
@tchiotludo tchiotludo added this to the v0.17.0 milestone Apr 12, 2024
@tchiotludo tchiotludo added the enhancement New feature or request label Apr 12, 2024
@brian-mulier-p
Copy link
Member

To add to this and as discussed, I think the ideal syntax is:

myOutputValue = "someComplicatedString"
Kestra.outputs({
  myOutput: Kestra.encrypt(myOutputValue)
})

@brian-mulier-p
Copy link
Member

We could parse the logs before sending it to Kestra logger with the DefaultLogConsumer (and encrypt values that needs to) but it would still have them in the container logs so I believe we should send the encryption key to the python process and do the AES encryption within it...

@aballiet
Copy link
Author

We could parse the logs before sending it to Kestra logger with the DefaultLogConsumer (and encrypt values that needs to) but it would still have them in the container logs so I believe we should send the encryption key to the python process and do the AES encryption within it...

Should be available through env variables

@brian-mulier-p
Copy link
Member

I'm unsure about security around this as it means any user could just print the key and it would be a security failure I think 🤔

@anna-geller anna-geller modified the milestones: v0.17.0, v0.18.0, v0.20.0 May 6, 2024
@anna-geller anna-geller removed this from the v0.20.0 milestone Jun 6, 2024
@anna-geller anna-geller added pending-community-feedback and removed enhancement New feature or request labels Jun 6, 2024
@anna-geller anna-geller added the kind/pending-feedback Idea waiting for user feedback label Jul 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/pending-feedback Idea waiting for user feedback
Projects
Issues
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tchiotludo @aballiet @brian-mulier-p @anna-geller