P
Protective Stingray
I need a way to restrict the use of secrets in pipelines. Examples of restrictions:
  • secrets in this secret manager can only be used against the production environment
  • these secrets can only be used by an account level template
Current OPA policy is not sufficient to enforce these restrictions. For example: a pipeline is created that use queries the secret but uses a variable to hold the secret id, <+secrets.getValue(<+variables.foobar>)>. Current OPA policies on pipeline would see the variable expression and not the actual ID. This makes it hard to restrict access to certain secrets without being overly restrictive that prevents other valid use cases.
Policy needs the following information:
  • secret ID being accessed
  • secret manager where secret is stored
  • pipeline that is trying to access secret
  • step hierarchy of step trying to access
  • Environment and infrastructure being used for custom and deploy stages
  • service and overrides being used for deploy stage
  • what resource is the secret access defined in