Feature #13135
Updated by Peter Amstutz about 6 years ago
string type * inputs to a workflow can be marked "secret: true" "secret" * arvados-cwl-runner ensures that secrets are obscured using "secret_mounts" in container requests. Secrets are entered into a "secrets" list inside workflow runner. When submitting a job, any mount or environment variable that contains any string in the "secrets" list is placed in "secret_mounts" or "secret_environment". In addition, any command line argument that contains a secret could go into a "secret_command". (In container request, this is merged with the regular command line. Something like a list * semantics of null values or strings, null values are skipped, strings replace the corresponding position in the command line.) Assumption: workflows don't modify the contents of secrets. This seems reasonable. a-c-r logger has a filter that checks if any strings in the "secrets" list appears in output and obscures it. When submitting workflow runner, any secrets are placed in file literals in "secret_mounts", the secret parameters appear in input.json file as an $include which reads the secret file contents when the runner executes. TBD