Hi Lance,

 but I need for people who are admins for a particular cloud to add their cloud 
details to the app and then store their credentials securely.


I'm not sure to understand the need for adding cloud details to the app for the 
admins.


The suggestion I made assumed that sensitive information is managed as K8S 
secrets. As long as the admins have GCloud (for instance) credentials set 
(which are stored and managed at GCloud level), they can administrate the 
secrets resources by "applying" the corresponding YAML descriptors remotely 
from their workstation. The sensitive values are thus stored nowhere inside the 
application itself, but passed to the containers at runtime as environment 
variables.


Maybe I've misunderstood your need and sorry in this case if my answer is off 
topic.


Best


Eric

________________________________
From: django-users@googlegroups.com <django-users@googlegroups.com> on behalf 
of Lance Haig <lnh...@gmail.com>
Sent: Monday, November 12, 2018 9:07:30 AM
To: django-users@googlegroups.com
Subject: Re: How do I store details securely with django?


Hi Eric,


Thanks for the response.


This idea has an end goal of being deployed in a resilient way so most probably 
docker with some form of orchestration, Docker swarm or Kubernetes.


The credentials are mainly stored in a .env file at the moment and could be 
added to the secrets but I need for people who are admins for a particular 
cloud to add their cloud details to the app and then store their credentials 
securely.


Unfortunately this will need a dynamic storage mechanism which i don't know how 
to do yet


Regards


Lance



On 11/12/18 12:03 AM, PASCUAL Eric wrote:

Hi,


It can depend on which deployment option you plan to use for the application.


For instance, a Docker deployment orchestrated by Kubernetes gives the option 
of using secrets for sensitive information, which a hoster such as GCP manages 
conveniently. In this kind of deployment, configuration (and secrets) are 
passed to the app as environment variables, on which Kubernetes configuration 
maps and secrets are mapped to. Thanks to this, values are stored nowhere in 
the app code, companion files or database.


Regards


Eric

________________________________
From: django-users@googlegroups.com<mailto:django-users@googlegroups.com> 
<django-users@googlegroups.com><mailto:django-users@googlegroups.com> on behalf 
of Mike Dewhirst <mi...@dewhirst.com.au><mailto:mi...@dewhirst.com.au>
Sent: Sunday, November 11, 2018 11:07:14 PM
To: django-users@googlegroups.com<mailto:django-users@googlegroups.com>
Subject: Re: How do I store details securely with django?

On 12/11/2018 12:47 AM, Lance Haig wrote:
> Hi,
>
> I have a project I am working on https://github.com/lhaig/usery/ and
> part of the roadmap of the project is to add more cloud types to the
> list.
>
> I wanted to allow admins for these services to login and create
> records for their different clouds in the DB and then use these when
> people request access to these services.
>
> I need to find a secure way to store these credentials so that even if
> the DB is compromised that the credentials are safe.

I agree credentials should not be stored in the database but what are
your other assumptions about the threats?

How many sets of credentials will there be?

In future, will you be using simple credentials or tokens, certificates,
multi factor auth?

If this is a prototype and only a few sets are involved you can store
credentials in a file or one file per set and write a method to fetch
them as required. That will keep them out of the database and let you
rejig the method after you have decided how it should really work.

>
> Does anyone have suggestions on how I can accomplish this?
>
> I would really appreciate some advice.
>
> Regards
>
> Lance
>
>
>

--
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 
django-users+unsubscr...@googlegroups.com<mailto:django-users+unsubscr...@googlegroups.com>.
To post to this group, send email to 
django-users@googlegroups.com<mailto:django-users@googlegroups.com>.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/c8819341-7c60-56ee-6298-3a6a7897e9b1%40dewhirst.com.au.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 
django-users+unsubscr...@googlegroups.com<mailto:django-users+unsubscr...@googlegroups.com>.
To post to this group, send email to 
django-users@googlegroups.com<mailto:django-users@googlegroups.com>.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/VI1P193MB043243D0747282C2D96F60E38CC00%40VI1P193MB0432.EURP193.PROD.OUTLOOK.COM<https://groups.google.com/d/msgid/django-users/VI1P193MB043243D0747282C2D96F60E38CC00%40VI1P193MB0432.EURP193.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 
django-users+unsubscr...@googlegroups.com<mailto:django-users+unsubscr...@googlegroups.com>.
To post to this group, send email to 
django-users@googlegroups.com<mailto:django-users@googlegroups.com>.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/478ff804-4204-54c2-ba62-c0e4f9d64f89%40gmail.com<https://groups.google.com/d/msgid/django-users/478ff804-4204-54c2-ba62-c0e4f9d64f89%40gmail.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/VI1P193MB0432916809AFE450553011D98CC10%40VI1P193MB0432.EURP193.PROD.OUTLOOK.COM.
For more options, visit https://groups.google.com/d/optout.

Reply via email to