Proper Environment Variables for Secrets [FEAT-984]

Please Note: I am not the original requestor. This feature request was submitted by another community member in our former (now depreciated) community forum.

Currently we need to leverage the terminus secrets plugin to manage secrets without commitng to version control. This generates a secrets.json file and we must write glue code to map that to environment variables. It would be nice if we could set these as environment variables and not have to deal with the main file or glue code.

If you would like to see this product/feature request happen please consider upvoting!

Screen Shot 2023-05-16 at 3.55.11 PM.png1264×158 32.5 KB

A problem I find with the current terminus plugin is that the secrets.json file needs to be sustained somewhere (and in plain text). If I put that secrets file on a multidev, it’s not really a secret value to anyone with access to the site. Copying down your LIVE site to a lower region will copy all the files and expose your production secrets. If I have MULTIPLE sites, I need many many copies of the same file, so when I need to update a value, it’s updated in x(sites) * 3+n(multidevs), which is a number that can get very big in a hurry.

Hey @dpagini! Thanks for sharing! I can see where that may not be the best user experience. I am certainly going to pass this along! But in the meantime I am also tagging @jared.sulzdorf.getpantheon.com one of our awesome Product Managers here to jump in. I am thinking he may have some ideas.

Thanks for the tag, @mckenna.regets and thanks for the feedback @dpagini

I agree that the current Terminus Secrets Plugin has a few limitations that make managing secrets at scale (and secure) less than ideal. What are your current use cases for secrets today?

We’ve been talking with our Pantheon account team and even some Pantheon leaders about our use case with secrets. We’re aware that the new secrets management product is in EA, but we don’t use integrated composer, so I don’t think we can participate in the first EA.

If you wanted to connect more on our secrets use cases, could we set up a quick chat maybe?