You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Once secrets are in memory, secrets are sometimes indistinguishable to developers from benign strings. Secrets should be reliably distinguishable from benign strings for the lifetime of a dbt run.
The ambiguity makes it necessary to remember to scrub secrets naively before making any output.
Secrets are not consumed the same way when provided in files and environment variables which drives some of this ambiguity:
If the password is in profiles.yml, we will attempt to jinja render the password which makes certain valid passwords throw an exception because they include partial jinja syntax.
Passwords should be treated the same regardless of their origin. Developers should be aware when they are working with secrets enough to not rely on naive output scrubbing.
The text was updated successfully, but these errors were encountered:
Once secrets are in memory, secrets are sometimes indistinguishable to developers from benign strings. Secrets should be reliably distinguishable from benign strings for the lifetime of a dbt run.
The ambiguity makes it necessary to remember to
scrub secrets naively before making any output.
Secrets are not consumed the same way when provided in files and environment variables which drives some of this ambiguity:
profiles.yml, we will attempt to jinja render the password which makes certain valid passwords throw an exception because they include partial jinja syntax.Passwords should be treated the same regardless of their origin. Developers should be aware when they are working with secrets enough to not rely on naive output scrubbing.
The text was updated successfully, but these errors were encountered: