Skip to content

/prometheus

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Read Azure credentials from environment variable #4857

Open
yanivroz opened this Issue Nov 12, 2018 · 5 comments

Comments

Assignees
No one assigned
Labels
component/service discovery
Projects
None yet
Milestone
No milestone
4 participants
@yanivroz @brian-brazil @cstyan @simonpasquier
@yanivroz
Copy link

yanivroz commented Nov 12, 2018

Proposal

I saw in the documentation that you can obtain AWS credentials from environment varaibles:

# The AWS API keys. If blank, the environment variables `AWS_ACCESS_KEY_ID`
# and `AWS_SECRET_ACCESS_KEY` are used.
[ access_key: <string> ]
[ secret_key: <secret> ]

Any plan to support the same for Azure?
something like this:

# The Azure API keys. If blank, the environment variables `AZURE_SUBSCRIPTION_ID`,
# `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, and `AZURE_CLIENT_SECRET` are used.
[ subscription_id: <string> ]
[ tenant_id: <string> ]
[ client_id: <string> ]
[ client_secret: <secret> ]
@brian-brazil

This comment has been minimized.

Sign in to view
Copy link
Member

brian-brazil commented Nov 12, 2018

We recommend against using environment variables for secrets as they aren't designed for it. We also want to have just one place that configuration comes from. If the client we're using happens to this under the covers that's it's own business though.
@yanivroz

This comment has been minimized.

Sign in to view
Copy link
Author

yanivroz commented Nov 12, 2018

@brian-brazil I understand your point but isn't this kind of inconsistent to have it for one type of service discovery and not for another?
Also, I believe the security issues should be left for the user to decide. After all, putting the secret in the prometheus.yml file as plain text is just as bad as keeping it as an environment variable in clear text, no? (or am I missing something?)
@brian-brazil

This comment has been minimized.

Sign in to view
Copy link
Member

brian-brazil commented Nov 12, 2018

We can't control the consistency of the libraries vendors provide.

Environment variables are worse than files on disk, as it's common to e.g. dump them when there's an error.

@simonpasquier simonpasquier added the component/service discovery label Nov 13, 2018

@cstyan

This comment has been minimized.

Sign in to view
Copy link
Contributor

cstyan commented Jan 22, 2019

@yanivroz I guess the question is whether azure has official environment variables similar to those you would use with the AWS cli: https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html#cli-quick-configuration

Even if it does, I agree with Brian.
@yanivroz

This comment has been minimized.

Sign in to view
Copy link
Author

yanivroz commented Jan 23, 2019
edited

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.