Feature #13135
closed
[CWL] Support for secrets
Description
string type inputs to a workflow can be marked "secret: true"
arvados-cwl-runner ensures that secrets are obscured using "secret_mounts" in container requests.
Secrets are entered into a "secrets" list inside workflow runner.
When submitting a job, any mount or environment variable that contains any string in the "secrets" list is placed in "secret_mounts" or "secret_environment".
In addition, any command line argument that contains a secret could go into a "secret_command". (In container request, this is merged with the regular command line. Something like a list of null values or strings, null values are skipped, strings replace the corresponding position in the command line.)
Assumption: workflows don't modify the contents of secrets. This seems reasonable.
a-c-r logger has a filter that checks if any strings in the "secrets" list appears in output and obscures it.
When submitting workflow runner, any secrets are placed in file literals in "secret_mounts", the secret parameters appear in input.json file as an $include which reads the secret file contents when the runner executes.
Updated by 
Updated by 
Updated by Tom Morris