graphql-engine icon indicating copy to clipboard operation
graphql-engine copied to clipboard

Published 20 hours ago verified publisher icon hasura

Add support for Docker Secrets by reading secrets files

Open dabikuru opened this issue 5 years ago • 19 comments

Currently, the only way to pass secrets (DB credentials, Hasura admin secret) to Hasura is only by environment variables. For users of Docker Compose or Docker Swarm, this means these secrets have to be stored in plaintext, which presents security risks.

It would be great to build support for Docker Secrets (or even Vault), by adding the following environment variables, as recommended by Docker:

  • HASURA_GRAPHQL_ACCESS_KEY_FILE
  • HASURA_GRAPHQL_DATABASE_URL_FILE

If these variables are present, the access key and DB URL should be read from the corresponding files.

Docs: https://docs.docker.com/engine/swarm/secrets/#build-support-for-docker-secrets-into-your-images

dabikuru avatar Mar 02 '20 02:03 dabikuru

@dcultrera Do you mean document this way of adding the secret in docker-compose? (I don't think Hasura needs to provide any support for this, this is a pure docker thing?)

tirumaraiselvan avatar Mar 02 '20 07:03 tirumaraiselvan

Hi @tirumaraiselvan, thanks for your reply!

I don't think is purely a Docker thing: when Hasura starts up, it expects to receive those credentials as environment variables. The proposed change is to enable Hasura to read them from the specified files.

Docker Compose/Swarm is not the only orchestrator that suggests passing credentials this way. For example, Hashicorp's Nomad does the same with Vault secrets: they are made available to a container as files, without the host system being aware of the secrets themselves.

dabikuru avatar Mar 02 '20 07:03 dabikuru

@dcultrera Gotcha! This makes sense.

tirumaraiselvan avatar Mar 02 '20 07:03 tirumaraiselvan

@tirumaraiselvan thanks! I'd be happy to try and make a PR for this myself :) could I have some pointers as to where to get started?

dabikuru avatar Mar 02 '20 09:03 dabikuru

@dcultrera That'd be awesome.

You will need to add a server flag/environment variable. You can see this file where all server start options are specified: https://github.com/hasura/graphql-engine/blob/master/server/src-lib/Hasura/Server/Init.hs .

Then you need to resolve this new flag/variable in here: https://github.com/hasura/graphql-engine/blob/master/server/src-lib/Hasura/Server/Init.hs#L325

tirumaraiselvan avatar Mar 04 '20 13:03 tirumaraiselvan

@tirumaraiselvan thank you for your help! I will have a go at it soon :)

dabikuru avatar Mar 05 '20 10:03 dabikuru

@dcultrera Did you have a chance to look at implementing this?

rhyslbw avatar Apr 06 '20 00:04 rhyslbw

@dcultrera Any updates on this ticket?

D3CK3R avatar May 05 '20 12:05 D3CK3R

Hi @rhyslbw and @D3CK3R, I haven't been able to spend time on this, so if anyone would like to have a go, I'd appreciate it!

dabikuru avatar May 06 '20 01:05 dabikuru

Thanks for the update @dcultrera

@D3CK3R I'm handling this in a custom Docker image (required for a different migration strategy), so won't be in a position to contribute either sorry.

rhyslbw avatar May 22 '20 02:05 rhyslbw

Is there any workaround for this issue until fixed? It really seems like a bad idea in 2020 to just paste a superuser postgres password in plaintext.

apjoseph avatar Jun 18 '20 17:06 apjoseph

Here's a workaround to use docker secrets:

  graphql-engine:
    image: hasura/graphql-engine:v1.3.0
    command: sh -c 'graphql-engine --database-url "postgres://postgres:$$(cat /run/secrets/postgres_pass)@db:5432/postgres" serve --admin-secret "$$(cat /run/secrets/admin_secret)"'
    secrets:
      - postgres_pass
      - admin_secret

Obviously, you'll need to fill in the rest of the config like networks, ports, etc. You can still pass environment variables like HASURA_GRAPHQL_ENABLE_CONSOLE if needed.

korylprince avatar Aug 05 '20 23:08 korylprince

Can we get an update on this issue from the Hasura team? I was using the workaround above by @korylprince, but it doesn't work with the cli-migrations-v2 image. It really seems silly that Hasura expects us to store our confidential info in plaintext in production? I hope that's not what they're doing themselves...

Miyou avatar Nov 08 '20 13:11 Miyou

You can also store the secrets in a .env file that will be consumed by docker-compose, and you can git-exclude that file

dionjwa avatar Apr 21 '22 14:04 dionjwa

You can also store the secrets in a .env file that will be consumed by docker-compose, and you can git-exclude that file

Environment variables can be unintentionally leaked between containers. This is why this issue deserves a higher priority if you ask me.

adepto-io avatar Jun 10 '22 12:06 adepto-io

Its been two years. If I look into this, will it also be added to Hasura version 2?

tintin10q avatar Aug 03 '24 20:08 tintin10q

Actually the HASURA_GRAPHQL_DYNAMIC_SECRETS_ALLOWED_PATH_PREFIX does what we need.

Like every variable could follow the dynamic-from-file:///var/path behavior instead of only database connection strings.

tintin10q avatar Aug 04 '24 14:08 tintin10q

I looked around and is it correct that changes need to be made to just this file:

https://github.com/hasura/graphql-engine/blob/master/server/src-lib/Hasura/Server/Init/Env.hs

tintin10q avatar Aug 04 '24 14:08 tintin10q

You could add it to the considerEnv function. If the value of the env starts with from-file: then load from that file instead.

tintin10q avatar Aug 04 '24 14:08 tintin10q