You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, when setting Key/Value pairs with st2 key set or st2 key load (and equivalent API calls) the data must be in a decrypted state. This means that if data is stored in an encrypted state we must decrypt it, then send it to the st2 CLI/API which then encrypts it again. Having this decrypt process fall on the responsibility of the end user requires them to implement this decrypt functionality.
Our use case here is that we have a keys.yaml file that contains all of our datastore key/values that contains encrypted values. This is exactly like grabbing a dump of st2 key list. When we provision a new instance of StackStorm or do a release we load this keys file in via st2 key load. Right now we have to decrypt all of the encrypted data, then pass that decrypted file in to st2 key load. We have to implement this decrypt code on our side and would like to allow StackStorm to handle this crypto work.
I propose allowing st2 key set and st2 key load (or equivalent API calls) to accept already encrypted values. The st2client or st2api would handle the decryption/encryption functions instead of the end user.
ISSUE TYPE
Feature Idea
PROPOSAL - st2client
We could implement this on the st2client side for st2 key set by passing a --decrypt flag:
$ st2 key set -e --decrypt test.mysecretvalue ABCD123
On the st2 key load side we would add a new decrypt: true attribute for keys that need their values decrypted.
SUMMARY
Currently, when setting Key/Value pairs with
st2 key set
orst2 key load
(and equivalent API calls) the data must be in a decrypted state. This means that if data is stored in an encrypted state we must decrypt it, then send it to the st2 CLI/API which then encrypts it again. Having this decrypt process fall on the responsibility of the end user requires them to implement this decrypt functionality.Our use case here is that we have a
keys.yaml
file that contains all of our datastore key/values that contains encrypted values. This is exactly like grabbing a dump ofst2 key list
. When we provision a new instance of StackStorm or do a release we load this keys file in viast2 key load
. Right now we have to decrypt all of the encrypted data, then pass that decrypted file in tost2 key load
. We have to implement this decrypt code on our side and would like to allow StackStorm to handle this crypto work.I propose allowing
st2 key set
andst2 key load
(or equivalent API calls) to accept already encrypted values. Thest2client
orst2api
would handle the decryption/encryption functions instead of the end user.ISSUE TYPE
PROPOSAL - st2client
We could implement this on the
st2client
side forst2 key set
by passing a--decrypt
flag:$ st2 key set -e --decrypt test.mysecretvalue ABCD123
On the
st2 key load
side we would add a newdecrypt: true
attribute for keys that need their values decrypted.PROPOSAL - st2api
We could handle the decryption within
st2client
if we like and pass the data to the API like we do today.Or we could pass along this
decrypt
parameter to the API and allowst2api
to decrypt and re-encrypt the data (or potentially pass through).The text was updated successfully, but these errors were encountered: