Idea #13112
Updated by Peter Amstutz about 6 years ago
There needs to be a way to store credentials and other secrets securely for use by crunch containers. securely. See note-2 for background discussion. Proposal: https://dev.arvados.org/projects/arvados/wiki/Vault Based on the proposal, the essential development tasks are: * Create secrets table in API server * Create Vault plugin that interacts enables login with Arvados API token and interacts with secrets table to determine policy granting access to secrets. * Arvados client support to work with secrets (at minimum, a command line client for reading, writing, and listing secrets which interacts with the API server and Vault) In order to integrate secrets handling into CWL, a couple of additional tasks are necessary * arvados-cwl-runner feature to indicate inputs that represent "secrets" and adjust the container request accordingly. * Crunch-run feature to access Vault and perform substitution of secret into config file or environment just-in-time, as part of container setup, prior to running container.