Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!
SOLVED

AEM cloud, how to deploy secret client settings without putting them in GIT?

Avatar

Level 9
Level 9
7/6/21 7:44:06 AM

The standard way to add env. specific config settings is to use OSGi config files and the editor. The problem is that the editor is disabled for Cloud.   If we put secrets in git, any developer can access production systems.

 

how can we get round this?  Is there a standard out of the box way to include env specific values which are not in Git, which the backend devs can use for integrating with banking systems etc?

 

This page:

https://experienceleague.adobe.com/docs/experience-manager-cloud-service/implementing/deploying/conf...

Says this:

When to use secret environment-specific configuration values

Adobe Experience Manager as a Cloud Service requires the use of environment-specific configurations ($[secret:SECRET_VAR_NAME]) for any secret OSGi configuration values, such as passwords, private API keys, or any other values that cannot be stored in Git for security reasons.

Use secret environment-specific configurations to store the value for secrets on all Adobe Experience Manager as a Cloud Service environments, including Stage and Production.

 

So there appears to be a mechanism, but there is no mention of how this mechanism works or is used. how do we set the values?

Views

3.4K

Replies

5
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Employee Advisor
Employee Advisor
7/6/21 11:29:50 PM

@TB3dock  Please use the syntax provided in the link you shared to use a variable (secret or dev env variable) in your config and set these values using cloud manager

https://github.com/adobe/aio-cli-plugin-cloudmanager#aio-cloudmanagerenvironmentset-variables-enviro...

View solution in original post

Views

3.3K

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
5 Replies

Avatar

Community Advisor
Community Advisor
7/6/21 8:49:11 AM

Hi @TB3dock,

 

You can use the context-aware configurations to add these values into any environment. Please note that these can be authored as well as sent via code.

 

https://sling.apache.org/documentation/bundles/context-aware-configuration/context-aware-configurati...

 

Thanks,

Kiran Vedantam.

Views

3.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Employee Advisor
Employee Advisor
7/6/21 11:29:50 PM

@TB3dock  Please use the syntax provided in the link you shared to use a variable (secret or dev env variable) in your config and set these values using cloud manager

https://github.com/adobe/aio-cli-plugin-cloudmanager#aio-cloudmanagerenvironmentset-variables-enviro...

Views

3.3K

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 9
Level 9
7/7/21 4:09:59 AM
In response to shelly-goel

Hi, thanks for the reply.

]

This solution doesnt seem to make sense or solve the problem.

 

According to the docs, if you "push" a setting to an env, it will re-deploy that env. So we assume:

  1. we cant push any settings to prod as this has to be up 24x7.  deployment takes 1-2 hours.
  2. If we need to push 10 settings, it will redeploy each time, so take around 20 hours.
  3. Every time we deploy a new version, of the system, we have to re-deploy the settings, so 20 hours.

Also, its extremely risky to use command line to push secret settings to each env, its easy to get wrong. We don't own the pipeline, thats managed by another company. We don't want them to access the secrets. If they put command line to add secrets into the pipeline,then that company now has the secrets, so we would be back to square one. We dont see how this system helps. We need something like Azure KeyValut, where one trusted person can add a key which is stored encrypted, noone can ever view it, and it doesnt require a redeployment or reboot to add or update a variable.

Views

3.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Employee Advisor
Employee Advisor
7/10/21 8:26:51 AM
In response to shelly-goel
@TB3dock - The other possibility is to use CLoud Manager API https://www.adobe.io/apis/experiencecloud/cloud-manager/api-reference.html#/Variables/patchEnvironme... Here as well Adobe I/O integration is required which can be created by someone who's having the relavant permissions and can share the config to generate authorization token with you.

Views

3.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
I want to disable the delete copy move and all the other options for the child components Solved

Views

106

Likes

0

Replies

5
how to implement nonce for Content-Security-Policy script-src directive in dispatcher

Views

24

Likes

0

Replies

1
Sharing common data to multiple features in Tab component

Views

61

Likes

0

Replies

5
Ability to preview or thumbnail to preview for XF

Views

61

Likes

0

Replies

2
AEM session management and user access

Views

62

Likes

0

Replies

2