[FEATURE REQUEST] Support storing Fastly CLI credentials in 3rd party backends #1113
Labels
Comments
|
Thanks @AriESQ for opening this issue. I've created an internal ticket to track and discuss this 👍🏻 |
|
An update: the CLI now offers the option of using OAuth/OIDC against manage.fastly.com for authentication. This still results in storing tokens in the |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
It is bad practice to keep credentials on disk.
Describe the solution you'd like
I would like to see Fastly CLI support 3rd party secret backends. See for example Terraform Credential Helper, Git Credential Manager, AWS Vault, etc.
As well as the fact that all the platforms offer a credential manager these days.
Further I would like to see the starter documentation push users towards using a secure method. Perhaps allowing advanced users to use a derivation of an SSH key. Note that other infrastructure companies are moving towards requiring 2FA of their users (Github, PyPi).
Describe alternatives you've considered
I believe the documentation should be updated regardless. Pointing out users to where the token is stored, and what the dangers of storing it on disk are. Maybe there should be a check on what permissions the token has. Similar to how
ssh-agentwarns if a private SSH key has too open permissions.Alternatives available are to inject the token at run-time as a secret. Perhaps the documentation should walk user's through some easy mode examples of that.
Additional context
I no longer work with Fastly. This is an observation from a previous engagement. Thank you, good luck.
The text was updated successfully, but these errors were encountered: