Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 297de76

Browse files
a-mccarthya-mccarthy
authored
Update secrets.md
1 parent 69d7b0e commit 297de76

File tree

1 file changed

+15
-18
lines changed

1 file changed

+15
-18
lines changed

docs/secrets.md

+15-18
Original file line numberDiff line numberDiff line change
@@ -1,27 +1,24 @@
1-
# Secrets
1+
# Secrets in a workspace
22

33
<blockquote class="info">
44
This article explains how to use secrets in a workspace. To authenticate the
5-
workspace provisioner, see <a href="/admin/auth">this</a>.
5+
workspace provisioner, see the article on <a href="/admin/auth">Authentication</a>.
66
</blockquote>
77

88
Coder is open-minded about how you get your secrets into your workspaces.
9+
This means you can continue to use the same workflow and tools you already use to manage secrets locally in your Coder workspace.
910

10-
## Wait a minute...
11-
12-
Your first stab at secrets with Coder should be your local method. You can do
13-
everything you can locally and more with your Coder workspace, so whatever
14-
workflow and tools you already use to manage secrets may be brought over.
15-
16-
Often, this workflow is simply:
11+
Usually this workflow looks like,
1712

1813
1. Give your users their secrets in advance
1914
1. Your users write them to a persistent file after they've built their
2015
workspace
21-
22-
[Template parameters](./templates/parameters.md) are a dangerous way to accept
23-
secrets. We show parameters in cleartext around the product. Assume anyone with
16+
17+
<blockquote class="warning">
18+
Its strongly recommended that you do not use <a href="./templates/parameters.md">template parameters</a> to accept
19+
secrets. Parameters are shown in cleartext in Coder. Assume anyone with
2420
view access to a workspace can also see its parameters.
21+
</blockquote>
2522

2623
## SSH Keys
2724

@@ -30,13 +27,13 @@ authentication mechanism for git providers or other tools. Within workspaces,
3027
git will attempt to use this key within workspaces via the `$GIT_SSH_COMMAND`
3128
environment variable.
3229

30+
SSH keys are never stored in Coder workspaces, and are fetched only when
31+
SSH is invoked. The keys are held in-memory and never written to disk.
32+
3333
Users can view their public key in their account settings:
3434

3535
![SSH keys in account settings](./images/ssh-keys.png)
3636

37-
> Note: SSH keys are never stored in Coder workspaces, and are fetched only when
38-
> SSH is invoked. The keys are held in-memory and never written to disk.
39-
4037
## Dynamic Secrets
4138

4239
Dynamic secrets are attached to the workspace lifecycle and automatically
@@ -47,7 +44,7 @@ This method is limited to
4744
[services with Terraform providers](https://registry.terraform.io/browse/providers),
4845
which excludes obscure API providers.
4946

50-
Dynamic secrets can be implemented in your template code like so:
47+
Add dynamic secrets into your template code using the following:
5148

5249
```hcl
5350
resource "twilio_iam_api_key" "api_key" {
@@ -65,8 +62,8 @@ resource "coder_agent" "main" {
6562
```
6663

6764
A catch-all variation of this approach is dynamically provisioning a cloud
68-
service account (e.g
69-
[GCP](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_key#private_key))
65+
service account, for example
66+
[GCP](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_service_account_key#private_key),
7067
for each workspace and then making the relevant secrets available via the
7168
cloud's secret management system.
7269

0 commit comments

Comments
 (0)