Idea #13112
Updated by Peter Amstutz almost 7 years ago
There needs to be a way to store credentials and other secrets securely. See note-2 for background discussion.
Proposal:
https://dev.arvados.org/projects/arvados/wiki/Vault
Based on the proposal, the essential development tasks are:
* Create secrets table in API server
* Create Vault plugin that interacts enables login with Arvados API token and interacts with secrets table to determine policy granting access to secrets.
* Arvados client support to work with secrets (at minimum, a command line client for reading, writing, and listing secrets which interacts with the API server and Vault)
In order to integrate secrets handling into CWL, a couple of additional tasks are necessary
* arvados-cwl-runner feature to indicate inputs that represent "secrets" and adjust the container request accordingly.
* Crunch-run feature to access Vault and perform substitution of secret into config file or environment just-in-time, as part of container setup, prior to running container.