Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify synthetics params / secrets docs #3672

Closed
wants to merge 2 commits into from
Closed

Clarify synthetics params / secrets docs #3672

wants to merge 2 commits into from

Conversation

andrewvc
Copy link
Contributor

Clarify and add detail to section on synthetics security / working with sensitive values

@andrewvc andrewvc self-assigned this Mar 13, 2024
@andrewvc andrewvc requested a review from a team as a code owner March 13, 2024 19:23
@github-actions GitHub Actions
Copy link
Contributor

A documentation preview will be available soon:

@andrewvc andrewvc marked this pull request as draft March 13, 2024 22:12
@vigneshshanmugam vigneshshanmugam marked this pull request as ready for review March 18, 2024 22:19
dedemorton
dedemorton requested changes Mar 19, 2024
View reviewed changes
Copy link
Contributor

@dedemorton dedemorton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few editorial changes.

BTW, it's much better if you submit your changes against the main branch (rather than a versioned branch) so that we can easily backport the changes. To do this, you just need to switch to master before you click the Edit link in the docs.

docs/en/observability/synthetics-params-secrets.asciidoc
@@ -2,10 +2,12 @@
[[synthetics-params-secrets]]
= Work with params and secrets

Params allow you to use dynamically defined values, including sensitive information, in your
Params allow you to use dynamically defined values, in your
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Params allow you to use dynamically defined values, in your
Params allow you to use dynamically defined values in your

docs/en/observability/synthetics-params-secrets.asciidoc
synthetic monitors. For example, you may want to test a production website with a particular
demo account whose password is only known to the team managing the synthetic monitors.

Please read the <<synthetics-secrets-sensitive, documentation on sensitive values>>for more information on security-sensitive use cases.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Please read the <<synthetics-secrets-sensitive, documentation on sensitive values>>for more information on security-sensitive use cases.
For more information about security-sensitive use cases, refer to the <<synthetics-secrets-sensitive, documentation about sensitive values>>.

docs/en/observability/synthetics-params-secrets.asciidoc
Comment on lines +153 to +156
Please note that params are viewable in plain-text by administrators and other users with "all" privileges for
the synthetics app.
Additionally, note that synthetics scripts have no limitations on accessing these values, and a malicious script author could write a
synthetics journey that exfiltrates `params` and other data at runtime.
Copy link
Contributor

@dedemorton dedemorton Mar 19, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Please note that params are viewable in plain-text by administrators and other users with "all" privileges for
the synthetics app.
Additionally, note that synthetics scripts have no limitations on accessing these values, and a malicious script author could write a
synthetics journey that exfiltrates `params` and other data at runtime.
Params are viewable in plain-text by administrators and other users with `all` privileges for
the Synthetics app.
Also note that synthetics scripts have no limitations on accessing these values, and a malicious script author could write a
synthetics journey that exfiltrates `params` and other data at runtime.

docs/en/observability/synthetics-params-secrets.asciidoc
Do *not* to use truly sensitive passwords (for example, an admin password or a real credit card)
in *any* synthetics tools.
Instead, set up limited demo accounts, or fake credit cards with limited functionality.
If you want to limit access to parameters ensure that that users who are not supposed to access those values do not have "all" privileges
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
If you want to limit access to parameters ensure that that users who are not supposed to access those values do not have "all" privileges
If you want to limit access to parameters, ensure that users who are not supposed to access those values do not have `all` privileges

@vigneshshanmugam
Copy link
Member

vigneshshanmugam commented Mar 19, 2024
edited
Loading

@dedemorton Thanks for the review, Andrew is out of office, I will open a new PR against the master branch to address your review comments and ask for final review.

@vigneshshanmugam
Copy link
Member

Closed in favor of #3691

@vigneshshanmugam vigneshshanmugam deleted the andrewvc-patch-1 branch March 20, 2024 05:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vigneshshanmugam vigneshshanmugam vigneshshanmugam approved these changes

@dedemorton dedemorton dedemorton requested changes

Assignees

@andrewvc andrewvc

@vigneshshanmugam vigneshshanmugam

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@andrewvc @vigneshshanmugam @dedemorton