[Docs issue] Need guidance on how securely to treat Sentry auth token (should it go in source control?) #1096
Comments
|
Hmm I agree, the auth token should not be included in source-control. Thanks for the suggestion and I will get on this. |
|
This issue has gone three weeks without activity. In another week, I will close it. But! If you comment or otherwise update it, I will reset the clock, and if you label it "A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀 |
marandaneto
added
Platform: Docs
|
we'll discuss that internally if we have to document the optimal approach for this but I'd say this is App's responsibility to secure its own token, this is sensitive information and should be treated as such, not checking into source control, etc. |
|
We'll document that this is sensitive information and should not be publicly available. |
|
In case this is useful for anyone else coming across the issue, this has since been discussed here as well — #2618 |
By default, the Sentry auth token is added to source control in multiple ways:
fastfilein theupload_symbols_to_sentrystepThe docs don't specify if the auth token should be treated more securely than the URL-esque key used in source code (which we put in an .ENV file although it will of course ship in the client).
It doesn't look like the CLI can do anything too destructive - only add, not delete, as far as I can see on a quick skim. So perhaps it's ok to have this auth token in source control.
But it would be I think valuable to have an explicit instruction both in the setup steps, and at this URL: https://sentry.io/settings/account/api/auth-tokens/ (That page also does not appear to give any guidance on how to treat this auth token.)
That way we'll all know what the best security practice is for these tokens.
Thanks for taking a look!
The text was updated successfully, but these errors were encountered: