hurl icon indicating copy to clipboard operation
hurl copied to clipboard
verified publisher icon Orange-OpenSource

Secrets as environment variables similar to normal variables

Open lambrospetrou opened this issue 9 months ago • 1 comments

Problem to solve

I want to programmatically provide secrets as environment variables instead of the --secret argument.

It makes things easier in some cases, and it's more suitable for some uses like platforms (like Skybear.NET).

Proposal

Similar to how any environment variables can set Hurl variables, like HURL_abc=xyz setting the abc variable with value xyz, it would be great if we could have HURLSECRET_abc=xyz and this is the same as --secret abc=xyz.

Decide if it will be HURLSECRET_key=value or HURL_SECRET_key=value (although this might complicate existing variable logic).

Additional context and resources

In Skybear.NET, the users can set Hurl variables at the account level. Since Hurl 6.1.0 introduced secrets I want to transparently make any specified variable that seems sensitive to be a secret automatically without the user doing anything.

My only option right now is to use the --secret CLI argument, but that is more dangerous since a user could exploit that and break the actual command execution (I have some protections, but at some point someone could workaround it).

Having the ability to do it with environment variables that only Hurl will parse seems a much better approach, and is how I automatically provide the Hurl variables right now.

Tasks to complete

  • [ ] ...

lambrospetrou avatar Mar 23 '25 12:03 lambrospetrou

Hello, I have done exactly the same. Adding a --secret access_token=$HURL_access_token at the command-line to make my env variable HURL_access_token a secret. But It could indeed bring other security issues.

I like the HURLSECRET_key=value solution.

fabricereix avatar Mar 31 '25 15:03 fabricereix

Hi, we're going to add support for HURL_SECRET_key=value.

@lambrospetrou we would like to deprecated variable injection HURL_myvariable=value and change it to HURL_VARIABLE_myvariable=value (i.e change the prefix from HURL_ to HURL_VARIABLE_). This way, we'll have:

  • HURL_VARIABLE_myvariable=value=> define a variable myvariable with value
  • HURL_SECRET_mysecret=value=> define a secret mysecret with value

This way, we could use HURL_XXX for setting option by env variable (for instance HURL_INSECURE for --insecure, HURL_HTTP3 for --http3, HURL_VERBOSE for --verbose etc...). What's your opinion about it?

This is also a (quite old) suggestion from @tpluscode here https://github.com/Orange-OpenSource/hurl/discussions/1318

jcamiel avatar Sep 14 '25 22:09 jcamiel

Yeah, that sounds good to me. Super nitpick but maybe shortening it to HURL_VAR_xyz, but either way works.

lambrospetrou avatar Sep 15 '25 05:09 lambrospetrou