VRMS icon indicating copy to clipboard operation
VRMS copied to clipboard

Published 20 hours ago verified publisher icon hackforla

Refresh secrets for VRMS backend

Open Tyson-miller opened this issue 1 year ago • 4 comments

As part of work done on this issue, there were some secrets mistakenly exposed in the PR that we should now refresh.

The list of secrets is:

  • gmail_client_id
  • gmail_refresh_token
  • gmail_secret_id
  • mailhog_password
  • slack_bot_token
  • slack_client_id
  • slack_client_secret
  • slack_oauth_token
  • slack_signing_secret Which are set as container_env_vars in the ecs container for the vrms-backend.

The current secret values are stored in 1password and you can reach out to @Tyson-miller or in the ops channel to get them.

Tyson-miller avatar Nov 15 '23 16:11 Tyson-miller

@Spiteless These secrets are contained in the VRMS vault within 1password.

JackHaeg avatar Mar 28 '24 23:03 JackHaeg

Hey all, hopped on the DevOps COP call today and Bonnie requested I put some details on the secrets struggles here

Looking to refresh the tokens

gmail_client_id
gmail_refresh_token
gmail_secret_id
mailhog_password
slack_bot_token
slack_client_id
slack_client_secret
slack_oauth_token
slack_signing_secret

I have access to VRMS secrets, which stores these 4 env variables:

Screenshot of hackforlaVRMS/settings image

I don't currently have access to my 1password account, resolving that with support.

Here's the template that our client/backend .env files use:

Backend Secrets template 
CUSTOM_REQUEST_HEADER=
SLACK_OAUTH_TOKEN=
SLACK_BOT_TOKEN=
SLACK_TEAM_ID=
SLACK_CHANNEL_ID=
SLACK_CLIENT_ID=
SLACK_CLIENT_SECRET=
SLACK_SIGNING_SECRET=
BACKEND_PORT=
REACT_APP_PROXY=
GMAIL_CLIENT_ID=
GMAIL_SECRET_ID=
GMAIL_REFRESH_TOKEN=
GMAIL_EMAIL=
MAILHOG_PORT=
MAILHOG_USER=
MAILHOG_PASSWORD=
JWT_SECRET=
SECRET=
NODE_ENV=
Front End 
CLIENT_PORT=
CLIENT_URL=
BACKEND_HOST=
BACKEND_PORT=
REACT_APP_PROXY=
REACT_APP_CUSTOM_REQUEST_HEADER=
VITE_CLIENT_PORT=
VITE_CLIENT_URL=
VITE_BACKEND_HOST=
VITE_BACKEND_PORT=
VITE_REACT_APP_PROXY=
VITE_REACT_APP_CUSTOM_REQUEST_HEADER=

Questions and Clarifications

  • Are these secrets for stored in 1password?
  • Are the secrets pulled from 1password during our build?
  • Do the secrets need to be changed anywhere else as well?

After all this is finished, we're looking to write a guide so that if the secrets are exposed again in the future we can solve it faster.

trillium avatar Apr 11 '24 01:04 trillium

@Spiteless Just to follow up on the "Questions and Clarifications" section in your comment, as I mentioned in my previous comment, the secrets are contained within the VRMS vault within 1password.

JackHaeg avatar May 14 '24 04:05 JackHaeg

@jbubar & @Spiteless put in a request to be able to view AWS deployment.

JackHaeg avatar May 21 '24 02:05 JackHaeg