Storing and accessing credentials (e.g. database logins) as actinia user

[ninsbl]

Is there already a way to securely store and access e.g. database credentials as an actinia user?

When data is to be fetched from or exported to external databases, one needs some form of storing login credentials for actinia users.
Maybe also credential for data portals, if they are supposed to be accessed userspecific...

It does not seem right to include credentials in API calls in plain text.

One option I could imagine is that a user may upload an encrypted keepass file that in itself is secured (and later accessed) with the actinia password. In actinia credentials could be fetched with e.g. https://pypi.org/project/pykeepass/

But I am no security expert and maybe that is also a terrible idea with regards to security?

[ninsbl]

Now I wrote a function to transfer entries in a KeePass database file into environment variables, that again could be used to authenticate users at data sources services / databases.

import os
def keepass_to_env(
    keepass_file, keepass_pwd, title, username_var, password_var, first=True
):
    from pykeepass import PyKeePass

    kp = PyKeePass(keepass_file, password=keepass_pwd)
    entry = kp.find_entries(title=title, first=first)
    os.environ[username_var] = entry.username
    os.environ[password_var] = entry.password
    return None

For use in actinia modules, two questions remain:

1. how to securely transfer and store the KeePass file to actinia / user data area and
2. how to unlock the KeePass file with the actinia password (assuming that it is used to protect the KeePass file)...

Another approach could be bitwarden (that could be connected to KeyCloak if I understood correctly)...

[ninsbl]

Apache Airflow (also a Python based web app) supports different external backends, like e.g. the Hashicorp Vault for secrets management.
See: https://github.com/apache/airflow/tree/main/airflow/providers/hashicorp/secrets for inspiration on how secrets backends are implemented in Airflow.
Hashicorp Vault is an Open Source project and could even be bundled with actinia (at least in theory). It also powers secrets handling in GitHub actions. Would be cool if secrets could be stored in Vault and then accessed like in GitHub actions with a specific kind of string (${{ secrets.SENTINELHUB_AUTH_TOKEN }}).

Without external secrets backends, Airflow stores credentials as encrypted strings in a PostgreSQL database. Such a solution could possibly be a first approach for actinia too...

Just collecting some ideas....

[mmacata]

We discussed internally and came to the conclusion that a tresor/vault file should be used, e.g. with KeyPass (see Python examples). The key of the file would then be an environment variable or docker secret. The Password itself should be better stored in actinia. The vault file is created by the user and follows a naming convention with his actinia user name in the filename. The file can then be uploaded.

Further hints for implementation:

• In- and outputs of GRASS GIS modules in logs must not be passwords!
• actinia importer might need to be adjusted - manage password access and e.g. i.sentinel.import cannot be used as is.