Security issue MYSQL_PASSWORD as ENV variable #10
Comments
|
Fair point. It's only used when setting the database credentials here. We could probably replace this with something like: if [ -f "${MYSQL_PASSWORD}"]; then
_MYSQL_PASSWORD=$(<"$MYSQL_PASSWORD")
else
_MYSQL_PASSWORD=$MYSQL_PASSWORD
fi
CMD_CONFIG="${CMD_MAGENTO} setup:config:set --db-host="${MYSQL_HOSTNAME}" \
--db-name="${MYSQL_DATABASE}" --db-user="${MYSQL_USERNAME}" \
--db-password="${_MYSQL_PASSWORD}" --key="${CRYPTO_KEY}""It would still require you to pass on the information through an environment variable. I'm not 100% sure how it affects running copies as Would that help? |
|
IMHO passing secrets through ENV variables is not state of the art.
See also here. |
|
In your example you said that you used the following code: $password = $is_dev ? $_ENV['MYSQL_PASSWORD'] : trim(file_get_contents($_ENV['MYSQL_PASSWORD'])),which is why I made the Feel free to open a PR for whatever solution you feel is best. You can introduce a new variable or reuse the existing one as the example I posted, I don't have a strong opinion about either. |
Thanks for your great work, especially for this article.
Here is what we do:
Using the swarm mode of Docker, we create Docker Secrets.
Instead of
MYSQL_PASSWORD | MySQL password | secure
we're using:
MYSQL_PASSWORD | MySQL password | secure or /run/secrets/MYSQL_PASSWORD
The place, where we need it, we do something like:
So, if
$is_dev, we can use it as plaintext, otherwise we get the output from our docker secret.The text was updated successfully, but these errors were encountered: