Bug #15814
Updated by Peter Amstutz almost 3 years ago
In the container.json log of e51c5-xvhdp-ctxc9vlsbq7ae3x you can see:
<pre>
"api_key_per_sample": {
"$include": "/secrets/s0"
}
</pre>
In the container.json log of e51c5-xvhdp-mkzv6lz6mnphv7b, you can see the api_key_per_sample in plaintext.
h2. Implementation
The way secrets are handled in arvados-cwl-runner:
# the submitter process takes the secret string and adds a "text" type mount at /secrets/s0 (s1, s2, etc) to the container request
# In the input object, the parameter is replaced with "$include": "/secrets/s0"
# The workflow runner process (inside the container) loads the input object and processes the $input directive, which reads /secrets/s0 and replaces it with the contents of the file
# The workflow runner internally swaps the secret for a placeholder to avoid printing it in logging (including debug logging)
# The command line tool uses InitialWorkDir to define the credential files
# It observes that the file contains the placeholder for the secret
# The file is moved to secret_mounts and the placeholder is replaced by the real secret
# secret_mounts are hidden from all API responses except when crunch-run requests the "self" container. Secrets are wiped from the database when the container is finished
The part that workbench 2 needs to handle is:
# Recognizing which inputs are secrets
# Obscuring the secret with a "password" type text box
# When constructing the container request, moving secrets into the "secret_mounts" part, and replacing them in the input object with the $include reference.