Allow sensitiv parameters

[TheZoker]

It would be amazing, if there was an additional property for a coder_parameter called sensitiv (or similar).
This would hide the current value of the parameter if the workspace is viewed.
It should allow to overwrite the parameter, therefore show it when the user overwrites it, but again hides it when the user saves the change.

This would allow users to e.g. input API keys as parameters, but hide them after inserting them.

[matifali]

@TheZoker We do not recommend adding or storing any secrets/credentials via coder_paramter. You may use a terraform variable with sensitive=true for this purpose, which will prevent it from being printed in logs.

[TheZoker]

But a terraform variable would not be shown in the workspace setup process, right?

And wouldn't a sensitive option for the coder_parameter be able to solve this issue?

(Source: https://coder.com/docs/v2/latest/secrets)

Just hide the parameter everywhere in the UI/logs by showing ****** instead

[matifali]

They are not designed to accept and show secrets. And are only available on the workspace creation form. Please elaborate on your use case.

You can also try HCP Vault Secrets module to store and fetch secrets/API keys within your workspace.
I guess its free upto 25 secrets.

[TheZoker]

The use case is, that the user should be able to input a API key on creation of the workspace. He should be able to change it, but should not be able to see the API key outside of the workspace. Inside of the workspace, we provide the key as env variable and run a script to setup certain authentications. Sure we could also ask the user to create a file with the secret in it within the workspace, but then we would not be able to run our script in startup. This would also add more manual setup steps to a automated setup system.

So in my opinion, it would be nice, if the user is guided trough setting up the workspace by inputting the API key in the workspace creation form and afterwards the key is displayed as *****. Similar to how many applications handle password change. Show **** when visiting the setup page, allow the users to overwrite it in clear text and after saving the change, show ***** again.

What would speak against providing a sensitiv option for the coder_parameter entity and hiding the value in the UI/logs? I thinks that's an elegant way to allow users to setup workspaces via the UI and also protecting the secret from other users with read access to the workspace.

And for just a simple API key we don't want to implement/deploy another third party app, just to store and receive it.

[johnstcn]

@TheZoker Would coder/coder#7087 cover this use-case?

[TheZoker]

Yes in my case this would absolutely solve the issue!
But I can imagine, that for some setups, it's required to have different secrets for different workspaces.

For me case this would be fine!

[michaelbrewer]

Workspace insights lists out all workspace parameters, masking at least for the UI should be allowed.