You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As an operator I don't want teams having to ask me to upload their concourse-referencable credentials into credhub.
If a team wants credentials for their team to be changed, they have to:
Know who to contact && then figure out a way to send their credentials (sometimes email, which makes me physically ill)
Often some back and forth about "are you sure this is the right path? is this spelled correctly? is this supposed to be json or a user or what?" etc.
Wait for me to get around to it, which involves me formatting everything into a credentials.yml bulk upload
"alright it's uploaded can you check?"
Or sometimes we do a private git repo to do credential exchange. Which is still definitely not ideal.
What would make this better?
Some ability for teams to self-service their own credhub credentials to be used within their concourse team. It's not the end of the world if this doesn't get implemented anytime soon. Credhub 2.x just introduced scoped permissions, and even the credhub-cli doesn't support permission management commands yet. So I imagine it'll be a while before a robust self-service workflow emerges.
I'd just like to know if there's some kind of vision or roadmap for how self-service credential management via credhub could work in the future?
Regarding credentials management with CredHub, we've only just started to look at making Concourse work with scoped permissions in the 2.x series (as you identified in #2723). I've seen some folks build out entire tooling around Concourse to make cred mgmt more self-service, but that was with Vault. I think its definitely something we can look at now that we have RBAC in place and (in the future) compatibility with CredHub 2.x
What challenge are you facing?
As an operator I don't want teams having to ask me to upload their concourse-referencable credentials into credhub.
If a team wants credentials for their team to be changed, they have to:
credentials.yml
bulk uploadOr sometimes we do a private git repo to do credential exchange. Which is still definitely not ideal.
What would make this better?
Some ability for teams to self-service their own credhub credentials to be used within their concourse team. It's not the end of the world if this doesn't get implemented anytime soon. Credhub 2.x just introduced scoped permissions, and even the credhub-cli doesn't support permission management commands yet. So I imagine it'll be a while before a robust self-service workflow emerges.
I'd just like to know if there's some kind of vision or roadmap for how self-service credential management via credhub could work in the future?
Are you interested in implementing this yourself?
God help us all, no. But thank you for asking.
See also:
The text was updated successfully, but these errors were encountered: