neuropoly/bids-hook

Get credentials from a file instead of the environment

Opened this issue · 0 comments

It looks like systemd has a whole system in place for credentials. According to System and Service Credentials:

Within unit files, there are four settings to configure service credentials.

  1. LoadCredential= may be used to load a credential from disk, from an AF_UNIX socket, or propagate them from a system credential.
  2. SetCredential= may be used to set a credential to a literal string encoded in the unit file. Because unit files are world-readable (both on disk and via D-Bus), this should only be used for credentials that aren’t sensitive, i.e. public keys/certificates – but not private keys.
  3. LoadCredentialEncrypted= is similar to LoadCredential= but will load an encrypted credential, and decrypt it before passing it to the service. For details on credential encryption, see below.
  4. SetCredentialEncrypted= is similar to SetCredential= but expects an encrypted credential to be specified literally. Unlike SetCredential= it is thus safe to be used even for sensitive information, because even though unit files are world readable, the ciphertext included in them cannot be decoded unless access to TPM2/encryption key is available.

So, systemd wants to make credentials available as files, and currently bids-hook wants to accept credentials as environment variables. I guess I can change the environment variable to contain a path to the secret, rather than the secret itself, and that should be sufficiently flexible for manual testing and also for systemd-controlled execution.

Originally posted by @mguaypaq in #6 (comment)