-
-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dns-cloudflare: Support credentials in environment variable #8114
Comments
Additionally, the version number of the cloudflare python libraries could be updated in the following file - https://github.com/certbot/certbot/blob/master/certbot-dns-cloudflare/setup.py This would allow for more authentication modes (including API Tokens). |
Environment variables are supported by the underlying CloudFlare library, yes, however certbot currently provides creds to that library from the file provided to certbot with the @mahtin as for updating the library, the reason that hasn't happened is due to the maximum versions supplied by some OS's that are supported by certbot. I implemented Tokens in #7583 and #8015 which made it into certbot v1.2.0 and 1.6.0. The easiest way to get Token support in certbot is to install from snap, as the newest versions of certbot and the cloudflare library are used. |
This is a really important feature for using certbot in "infrastructure as code" environments. Many container orchestration tools only support passing sensitive data as environment variables, requiring users to use config files encourages users to store their cloudflare credentials unsecured, which lowers security for everyone. Is there still a plan to rewrite these plugins? Can this feature be reconsidered for development? |
If I understand correct, for environment variables to work all we need is to wrap this few lines of code with additional attempt to get values from corresponding environment variables, aka: token = os.getenv("CLOUDFLARE_API_TOKEN", default = credentials.conf('api-token'))
email = os.getenv("CLOUDFLARE_EMAIL", default = credentials.conf('email'))
key = os.getenv("CLOUDFLARE_API_KEY", default = credentials.conf('api-key')) so it will be backward compatible and solve the main issue |
I have some pretty big misgivings about letting libraries implicitly look for credentials, because it sets us up for pain when these libraries decide to make breaking changes to how they locate credentials (including changing the search order). We would be eventually forced to inherit these breaking changes. Or even worse, as in the case of the Google plugin, we had to change libraries entirely because the old one was abandoned. That said, we do support this pattern already with Route53 and Google. An appropriate design for this change would be to permit all three parameters (
I think it is otherwise unlikely that we would add broad support for environment variables to DNS plugins. On a mutable system, where Certbot is mostly used, getting environment variables to persist (so that the |
We've made a lot of changes to Certbot since this issue was opened. If you still have this issue with an up-to-date version of Certbot, can you please add a comment letting us know? This helps us to better see what issues are still affecting our users. If there is no activity in the next 30 days, this issue will be automatically closed. |
The original issue (opened by @sinofool four years ago) is still valid. The code simply has to accept the pass on of no email/token or key and let the underlying library use environment variables. Presently, the higher level code is not allowing this. Hope that helps summarize all this. |
I would like to use environment variables for email and/or api token.
This is supported by the underlying Cloudflare library:
https://github.com/cloudflare/python-cloudflare#using-shell-environment-variables
The text was updated successfully, but these errors were encountered: