Project

General

Profile

Idea #13112

Updated by Peter Amstutz almost 7 years ago

There needs to be a way to store credentials and other secrets securely.    See note-2 note-1 for background discussion. background. 

 Proposal: 

 https://dev.arvados.org/projects/arvados/wiki/Vault 

 Based on the proposal, the essential development tasks are: 

 * Create secrets table in API server 
 * Create Vault plugin that interacts enables login with Arvados API token and interacts with secrets table to determine policy granting access to secrets. 

 In order to integrate secrets handling into CWL, a couple of additional tasks are necessary 

 * arvados-cwl-runner feature to indicate inputs that represent "secrets" and adjust the container request accordingly. 
 * Crunch-run feature to access Vault and perform substitution of secret into config file or environment just-in-time, as part of container setup, prior to running container.

Back