FAQ | This is a LIVE service | Changelog

Logan hard-codes the credentials used to decrypt secrets

Logan currently hard-codes the decryption key for secrets to uis-automation-dm/terraform/admin-service-account allow this to be overridden in the configuration via a new key configuration setting for a secret. The secret would now look like:

secrets:
  - name: some secret
    source: a/foo.txt.enc
    target: b/foo.txt
    key:
      type: google-kms
      project: some-project-id
      location: europe-west2
      keyring: some-keyring
      key: some-key

The default for all secrets will be:

key:
  type: google-kms
  project: uis-automation-dm
  location: global
  keyring: terraform
  key: admin-service-account