Expand my Community achievements bar.

SOLVED

AEM cloud, how to deploy secret client settings without putting them in GIT?

Avatar

Level 9

The standard way to add env. specific config settings is to use OSGi config files and the editor. The problem is that the editor is disabled for Cloud.   If we put secrets in git, any developer can access production systems.

 

how can we get round this?  Is there a standard out of the box way to include env specific values which are not in Git, which the backend devs can use for integrating with banking systems etc?

 

This page:

https://experienceleague.adobe.com/docs/experience-manager-cloud-service/implementing/deploying/conf...

Says this:

When to use secret environment-specific configuration values

Adobe Experience Manager as a Cloud Service requires the use of environment-specific configurations ($[secret:SECRET_VAR_NAME]) for any secret OSGi configuration values, such as passwords, private API keys, or any other values that cannot be stored in Git for security reasons.

Use secret environment-specific configurations to store the value for secrets on all Adobe Experience Manager as a Cloud Service environments, including Stage and Production.

 

So there appears to be a mechanism, but there is no mention of how this mechanism works or is used. how do we set the values?

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

@TB3dock  Please use the syntax provided in the link you shared to use a variable (secret or dev env variable) in your config and set these values using cloud manager

https://github.com/adobe/aio-cli-plugin-cloudmanager#aio-cloudmanagerenvironmentset-variables-enviro...

View solution in original post

5 Replies

Avatar

Community Advisor

Hi @TB3dock,

 

You can use the context-aware configurations to add these values into any environment. Please note that these can be authored as well as sent via code.

 

https://sling.apache.org/documentation/bundles/context-aware-configuration/context-aware-configurati...

 

Thanks,

Kiran Vedantam.

Avatar

Correct answer by
Employee Advisor

@TB3dock  Please use the syntax provided in the link you shared to use a variable (secret or dev env variable) in your config and set these values using cloud manager

https://github.com/adobe/aio-cli-plugin-cloudmanager#aio-cloudmanagerenvironmentset-variables-enviro...

Avatar

Level 9

Hi, thanks for the reply.

]

This solution doesnt seem to make sense or solve the problem.

 

According to the docs, if you "push" a setting to an env, it will re-deploy that env. So we assume:

  1. we cant push any settings to prod as this has to be up 24x7.  deployment takes 1-2 hours.
  2. If we need to push 10 settings, it will redeploy each time, so take around 20 hours.
  3. Every time we deploy a new version, of the system, we have to re-deploy the settings, so 20 hours.

Also, its extremely risky to use command line to push secret settings to each env, its easy to get wrong. We don't own the pipeline, thats managed by another company. We don't want them to access the secrets. If they put command line to add secrets into the pipeline,then that company now has the secrets, so we would be back to square one. We dont see how this system helps. We need something like Azure KeyValut, where one trusted person can add a key which is stored encrypted, noone can ever view it, and it doesnt require a redeployment or reboot to add or update a variable.

Avatar

Employee Advisor
@TB3dock - The other possibility is to use CLoud Manager API https://www.adobe.io/apis/experiencecloud/cloud-manager/api-reference.html#/Variables/patchEnvironme... Here as well Adobe I/O integration is required which can be created by someone who's having the relavant permissions and can share the config to generate authorization token with you.