Currently, after you authenticate with your Acquia subscription credentials, it seems that an API key is returned and stored in the Acquia Connector configuration, and this key is used to authenticate all subsequent requests.

This seems insecure, because the key will be exported with the rest of the site configuration, and will be almost impossible to keep out of VCS if you're following standard deployment workflows.

Using settings instead of config would prevent this.

Comments

Dane Powell created an issue. See original summary.

Andre-B’s picture

Andre-B
Primary language German
Location Offenburg, Germany
commented

This introduces another issue as well:

The once exported configuration contains subscription information which might be outdated. Upon updating a site using regular deployment process the old configuration will be imported again (unless the configuration changed by cronjob on production machine will be somehow exported and put back into vcs).

Alternatively the whole configuration needs to be excluded.

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
commented

use the state api, that's what its for - my 2c

anavarre’s picture

anavarre
Primary language French
Location 🇪🇺
commented

Agreed with #3 - That's what Migrate API does.

bkosborne’s picture

bkosborne
Primary language English
Location New Jersey, USA
commented

Agreed. It seems that very little of what this module is storing in config should actually be stored in config. Using the State API makes the most sense.

bkosborne’s picture

bkosborne
Primary language English
Location New Jersey, USA
commented
Priority: Normal » Major

This feels like a major to me, given that it disrupts config workflows and makes it easy to accidentally save sensitive data to version control.

bkosborne’s picture

bkosborne
Primary language English
Location New Jersey, USA
commented

How is anyone using this module while also using the config management system in any fashion?

It seems like the only option is to always go to your prod site, export the config, then copy the acquia connector settings file into your local site and commit that along with any other config changes that you're actually making.

bkosborne’s picture

bkosborne
Primary language English
Location New Jersey, USA
commented
Title: Store key in settings, not config » Don't use config for storing dynamic subscription data or API keys
irek02’s picture

irek02 commented

Thanks the feedback, everyone, this will be fixed in near future.

bkosborne’s picture

bkosborne
Primary language English
Location New Jersey, USA
commented

Hi irek, I wonder if there's a status update on this? Specifically moving the state data out of configuration and into the state API? If not, are there any known workarounds to prevent this file from constantly being overwritten and modified via config-import / config-export?

irek02’s picture

irek02 commented

@bkosborne, the fix will be released sometime next week.

bkosborne’s picture

bkosborne
Primary language English
Location New Jersey, USA
commented

Hi Irek, I see that the release was put out that removes the API creds from config and migrates them to state API.

Do you still plan on moving all the other stuff into state API, like subscription data? That's the stuff that causes some problems for me since it seems it changes based on things out my control, and things get wiped out during config import/export process.

irek02’s picture

irek02 commented

bkosborne, yes, the plan is to move all other config into the State API. I'm going to close this story as the security concern with the credentials was addressed. Would you like to create a new issue about the subscription_data part?

irek02’s picture

irek02 commented
Status: Active » Fixed
bkosborne’s picture

bkosborne
Primary language English
Location New Jersey, USA
commented

Done: #2864697: Move subscription and SPI data out of config and into state API

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.