Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarify synthetics params / secrets docs #3672

Closed
wants to merge 2 commits into from
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 9 additions & 3 deletions docs/en/observability/synthetics-params-secrets.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,12 @@
[[synthetics-params-secrets]]
= Work with params and secrets

Params allow you to use dynamically defined values, including sensitive information, in your
Params allow you to use dynamically defined values, in your
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Params allow you to use dynamically defined values, in your
Params allow you to use dynamically defined values in your

synthetic monitors. For example, you may want to test a production website with a particular
demo account whose password is only known to the team managing the synthetic monitors.

Please read the <<synthetics-secrets-sensitive, documentation on sensitive values>>for more information on security-sensitive use cases.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Please read the <<synthetics-secrets-sensitive, documentation on sensitive values>>for more information on security-sensitive use cases.
For more information about security-sensitive use cases, refer to the <<synthetics-secrets-sensitive, documentation about sensitive values>>.


[discrete]
[[synthetics-params-secrets-define]]
= Define params
Expand Down Expand Up @@ -148,11 +150,15 @@ Your synthetics scripts may require the use of passwords or other sensitive secr

[WARNING]
====
Because synthetics scripts have no limitations, a malicious script author could write a
synthetics journey that exfiltrates `params` and other data at runtime.
Please note that params are viewable in plain-text by administrators and other users with "all" privileges for
the synthetics app.
Additionally, note that synthetics scripts have no limitations on accessing these values, and a malicious script author could write a
synthetics journey that exfiltrates `params` and other data at runtime.
Comment on lines +153 to +156
Copy link
Contributor

@dedemorton dedemorton Mar 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Please note that params are viewable in plain-text by administrators and other users with "all" privileges for
the synthetics app.
Additionally, note that synthetics scripts have no limitations on accessing these values, and a malicious script author could write a
synthetics journey that exfiltrates `params` and other data at runtime.
Params are viewable in plain-text by administrators and other users with `all` privileges for
the Synthetics app.
Also note that synthetics scripts have no limitations on accessing these values, and a malicious script author could write a
synthetics journey that exfiltrates `params` and other data at runtime.

Do *not* to use truly sensitive passwords (for example, an admin password or a real credit card)
in *any* synthetics tools.
Instead, set up limited demo accounts, or fake credit cards with limited functionality.
If you want to limit access to parameters ensure that that users who are not supposed to access those values do not have "all" privileges
vigneshshanmugam marked this conversation as resolved.
Show resolved Hide resolved
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
If you want to limit access to parameters ensure that that users who are not supposed to access those values do not have "all" privileges
If you want to limit access to parameters, ensure that users who are not supposed to access those values do not have `all` privileges

for the Synthetics app, and that any scripts that use those values do not leak them in network requests or screenshots.
====

If you are managing monitors with projects, you can use environment variables
Expand Down