arcade icon indicating copy to clipboard operation
arcade copied to clipboard
verified publisher icon dotnet

Add guardian secret

Open mmitche opened this issue 2 years ago • 4 comments

To double check:

  • [ ] The right tests are in and and the right validation has happened. Guidance: https://github.com/dotnet/arcade/tree/main/Documentation/Validation

mmitche avatar Dec 05 '23 00:12 mmitche

Is it normal to keep service connection PATs in this vault? This won't actually cause the service connection to update, right?

garath avatar Dec 05 '23 00:12 garath

Is it normal to keep service connection PATs in this vault? This won't actually cause the service connection to update, right?

Correct. You still need to update the service connection. But, it does add a tracked secret for the service connection, which avoids having to do the whole login/update procedure

mmitche avatar Dec 05 '23 16:12 mmitche

The problem that this would bring is that secret-manager will cycle this PAT automatically. Its value will never be available to be seen by a human, so by the time we update the service connection, we will need to have generated a new PAT anyways.

I think this is another good candidate for the vault that @ilyas1974 is using to track service connection expirations until we add service connection update functionality to secret manager.

Okay good argument. Let me know what I should do @ilyas1974

mmitche avatar Dec 05 '23 16:12 mmitche

Thinking a bit more, the value will be available in the key vault, doh.

That does save us some steps in that the process would now be to take the value from the KV instead of using patgenerator from scratch.

The problem would remain that we would still not know that this PAT was cycled and that the service connection will break soon.

riarenas avatar Dec 05 '23 16:12 riarenas