Spec for meltano config
support for encryption
#6999
edgarrmondragon
announced in
Spec Discussions
Replies: 4 comments 18 replies
This comment has been hidden.
This comment has been hidden.
This comment has been hidden.
This comment has been hidden.
This comment has been hidden.
This comment has been hidden.
-
@edgarrmondragon - Do we have a logged issue for this? Do you mind linking in the description if so? |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Part of a multi-part set of feature releases:
meltano config
#6987The CLI will support encryption of config values.
The following command will encrypt
<config value>
Automatic secret detection
All settings of kind
password
will automatically encrypted when set in the CLI, if there's adefault_encryption_key
:$ meltano config <a plugin> set <a password setting> <a secret>
Storing encrypted secrets
Secrets will be stored in a structured string similar to Sops's notation:
The exact format of this string is still TBD, but it would at least encode:
uri
of the key needed for decrytionSecrets (their ciphertext) are stored along with metadata that helps Meltano identify the decryption key.
The original encryption key is stored inline to ensure the secret can always be decrypted, even if keys are removed from the project at some point.
Encryption and Decryption
secrets_config.meltano-cloud
.secrets_config.keys[]
array.The corresponding ciphertext will be processed by
a key managed by Meltano Cloud
A bring-your-own key with initial support for AWA KMS, and with plans to support HashiCorp Vault and GCP KMS:
Key rotation
Not supported in V1.
Changelog:
secrets_provider
todefault_encryption_key
cc @aaronsteers
Beta Was this translation helpful? Give feedback.
All reactions