AEM cloud, how to deploy secret client settings without putting them in GIT? | Community
Skip to main content
T
TB3dock
Level 8
July 6, 2021
Solved

AEM cloud, how to deploy secret client settings without putting them in GIT?

  • July 6, 2021
  • 3 replies
  • 4245 views

The standard way to add env. specific config settings is to use OSGi config files and the editor. The problem is that the editor is disabled for Cloud.   If we put secrets in git, any developer can access production systems.

 

how can we get round this?  Is there a standard out of the box way to include env specific values which are not in Git, which the backend devs can use for integrating with banking systems etc?

 

This page:

https://experienceleague.adobe.com/docs/experience-manager-cloud-service/implementing/deploying/configuring-osgi.html?lang=en

Says this:

When to use secret environment-specific configuration values Adobe Experience Manager as a Cloud Service requires the use of environment-specific configurations ($[secret:SECRET_VAR_NAME]) for any secret OSGi configuration values, such as passwords, private API keys, or any other values that cannot be stored in Git for security reasons. Use secret environment-specific configurations to store the value for secrets on all Adobe Experience Manager as a Cloud Service environments, including Stage and Production.

 

So there appears to be a mechanism, but there is no mention of how this mechanism works or is used. how do we set the values?

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by shelly-goel

@tb3dock  Please use the syntax provided in the link you shared to use a variable (secret or dev env variable) in your config and set these values using cloud manager

https://github.com/adobe/aio-cli-plugin-cloudmanager#aio-cloudmanagerenvironmentset-variables-environmentid

3 replies

Kiran_Vedantam
Community Advisor
Kiran_VedantamCommunity Advisor
Community Advisor
July 6, 2021

Hi @tb3dock,

 

You can use the context-aware configurations to add these values into any environment. Please note that these can be authored as well as sent via code.

 

https://sling.apache.org/documentation/bundles/context-aware-configuration/context-aware-configuration.html

 

Thanks,

Kiran Vedantam.

    Asutosh_Jena_
    Community Advisor
    Asutosh_Jena_Community Advisor
    Community Advisor
    July 7, 2021

    Hi @tb3dock 

     

    You can set the environment specific values using either API or using the command Line.

    Please see the below links for more details about API and Command Line:

    https://experienceleague.adobe.com/docs/experience-manager-cloud-service/implementing/deploying/configuring-osgi.html?lang=en#setting-values-via-api

    https://experienceleague.adobe.com/docs/experience-manager-cloud-service/implementing/deploying/configuring-osgi.html?lang=en#getting-values-via-cli

     

    Thanks!

      shelly-goel
      Adobe Employee
      shelly-goelAdobe EmployeeAccepted solution
      Adobe Employee
      July 7, 2021

      @tb3dock  Please use the syntax provided in the link you shared to use a variable (secret or dev env variable) in your config and set these values using cloud manager

      https://github.com/adobe/aio-cli-plugin-cloudmanager#aio-cloudmanagerenvironmentset-variables-environmentid

        T
        TB3dockAuthor
        Level 8
        July 7, 2021

        Hi, thanks for the reply.

        ]

        This solution doesnt seem to make sense or solve the problem.

         

        According to the docs, if you "push" a setting to an env, it will re-deploy that env. So we assume:

        1. we cant push any settings to prod as this has to be up 24x7.  deployment takes 1-2 hours.
        2. If we need to push 10 settings, it will redeploy each time, so take around 20 hours.
        3. Every time we deploy a new version, of the system, we have to re-deploy the settings, so 20 hours.

        Also, its extremely risky to use command line to push secret settings to each env, its easy to get wrong. We don't own the pipeline, thats managed by another company. We don't want them to access the secrets. If they put command line to add secrets into the pipeline,then that company now has the secrets, so we would be back to square one. We dont see how this system helps. We need something like Azure KeyValut, where one trusted person can add a key which is stored encrypted, noone can ever view it, and it doesnt require a redeployment or reboot to add or update a variable.

          Terms & ConditionsAccessibility statement

          Loading footer...