Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

By default hide values in KVM #95

Closed
peruzzof opened this issue Oct 4, 2022 · 8 comments
Closed

By default hide values in KVM #95

peruzzof opened this issue Oct 4, 2022 · 8 comments

Comments

@peruzzof
Copy link

peruzzof commented Oct 4, 2022

Currently I am using apigeecli in my CI/CD pipeline, one of the steps is to update the KVM "secrets". In my current scenario I believe that the values in KVM should be hidden by default. I believe that the best approach is a flag when we need to show the value of entries during the create/delete. But a flag to hide them will work as well in my scenario.

Could you check if this makes sense?
@srinandan
Copy link
Collaborator

This is a control plane feature (or a feature of the API) and best captured via a support case.

Personally, I don't think such a flag is helpful. It a user or service account has the ability to create/delete a KVM, they should be allow the see the values. This principle also applies to GCP Secret Manager.

@peruzzof
Copy link
Author

The issue here is that the user performing the action is a service account, but the logs are kept and being showed in our release process (Azure DevOps) that many users have access, so the assumption that who is seeing the result has the proper permission doesnt apply to this scenario.

So what I am proposing is a flag to hide the sensitive value both in the create and delete KVM entries. In my opinion this best fit the presentation layer (apigeecli) and not the control plane. Anyway I am opening a support case to implement an "update entry" as we have only the create and delete operations, so I will add the request.

Just to clarify, currently I am hiding using "jq" in the script that calls apigeecli, but if we got any error (eg: the credential expired) I will not be able to see the details as jq will complain about the unexpected format.

@srinandan
Copy link
Collaborator

oh I see what you mean. That is fair. I will add a flag to control the output.

srinandan added a commit that referenced this issue Oct 10, 2022
@srinandan
add support to hide output #95
e9f8ee2
@srinandan
Copy link
Collaborator

Can you please try: https://github.com/apigee/apigeecli/releases/tag/v1.113.1-beta

There is a new global flag --no-output=true. This suppresses API responses for that command.

@ssvaidyanathan
Copy link
Collaborator

@srinandan - what if there was an error? will it suppress the response?

@srinandan
Copy link
Collaborator

No, errors (404, 403 etc.) are still printed as-is from the control plane. I will clarify this in the help command.

@peruzzof
Copy link
Author

I just tested the beta release and is working as expected.
Thanks for the great work!

@srinandan
Copy link
Collaborator

This is now available with v1.113

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@peruzzof @srinandan @ssvaidyanathan