keeping passwords out of code
Hi, I have an end-to-end test framework built on top of pytest, and a big challenge is managing application passwords while keeping them out of the code base. I deal with multiple applications and services, on multiple tiers (staging, production, etc.), so I have a large set of user-password pairs to manage. I currently use a local yaml file, with passwords keyed to account ids, along with a data model of users in the codebase keyed to the same IDs. My conftest queries the yaml file with the ids to grab the passwords, and it's set up to throw exceptions if there is anything out of sync between the data model and the yaml file data. Cumbersome, but works.... locally. I need to port the framework to Jenkins, so I need a better and secure system. Suggestions on better ways of managing passwords and secrets in a pytest/jenkins context? thanks, --derek
Hi Derek, On Sat 22 Sep 2018 at 09:19 -0700, Derek Sisson wrote:
I currently use a local yaml file, with passwords keyed to account ids, along with a data model of users in the codebase keyed to the same IDs. My conftest queries the yaml file with the ids to grab the passwords, and it's set up to throw exceptions if there is anything out of sync between the data model and the yaml file data.
Cumbersome, but works.... locally. I need to port the framework to Jenkins, so I need a better and secure system.
Suggestions on better ways of managing passwords and secrets in a pytest/jenkins context?
This isn't really a pytest question to be fair. It's just that you happen to stumble into secrets management via testing, which is certainly one common way of discovering this rabbit hole. The simple version which is still somewhat sub-optimal is pass the secrets via environment variables or something, for Jenkins specifically you should probably look at it's Credentials Binding plugin or so. The full-blow solution is to use something like vaultproject.io to manage secrets. Obviously this is a fair amount of work but you'll get good secrets management at the end. Cheers, Floris
This is what I originally developed pytest-variables for (https://pypi.org/project/pytest-variables/ <https://pypi.org/project/pytest-variables/>). Maybe you’ll find that useful, but it sounds like you already have a similar solution. For Jenkins, we use the credentials plugin to store the variables files, and then reference them from the jobs via environment variables. See https://github.com/mozilla/mozillians-tests/blob/master/Jenkinsfile#L40 <https://github.com/mozilla/mozillians-tests/blob/master/Jenkinsfile#L40> and https://github.com/mozilla/mozillians-tests/blob/master/Jenkinsfile#L53 <https://github.com/mozilla/mozillians-tests/blob/master/Jenkinsfile#L53> for an example of where we use this in a Jenkins declarative pipeline.
On 23 Sep 2018, at 19:47, Floris Bruynooghe <flub@devork.be> wrote:
Hi Derek,
On Sat 22 Sep 2018 at 09:19 -0700, Derek Sisson wrote:
I currently use a local yaml file, with passwords keyed to account ids, along with a data model of users in the codebase keyed to the same IDs. My conftest queries the yaml file with the ids to grab the passwords, and it's set up to throw exceptions if there is anything out of sync between the data model and the yaml file data.
Cumbersome, but works.... locally. I need to port the framework to Jenkins, so I need a better and secure system.
Suggestions on better ways of managing passwords and secrets in a pytest/jenkins context?
This isn't really a pytest question to be fair. It's just that you happen to stumble into secrets management via testing, which is certainly one common way of discovering this rabbit hole.
The simple version which is still somewhat sub-optimal is pass the secrets via environment variables or something, for Jenkins specifically you should probably look at it's Credentials Binding plugin or so.
The full-blow solution is to use something like vaultproject.io to manage secrets. Obviously this is a fair amount of work but you'll get good secrets management at the end.
Cheers, Floris _______________________________________________ pytest-dev mailing list pytest-dev@python.org https://mail.python.org/mailman/listinfo/pytest-dev
participants (3)
-
Dave Hunt -
Derek Sisson -
Floris Bruynooghe