Recommended/safest way to use connect server from github actions
sarahthekey
Hi
I have my one password connect server running on my kubernetes cluster (in GCP) using the helm chart from your documentation. It's worked great for creating kubernetes secrets, but now I want to use it within our terraform configuration so I can store all our sensitive database usernames/passwords in 1Password, but then link to those password entries from within terraform.
I've read the 1password provider terraform docs but I'm wondering what the best way to go about this is, for more context:
- We run our terraform plan/apply from within Github actions, not currently on self hosted runners, just the github runners they provide
- Our 1password connect server is running on a private kubernetes cluster, on the default config i.e. exposed only on the cluster and not externally, over the default HTTP port.
I understand in order to get anything out of 1password connect there has to be token authentication, but would my terraform config look like this if I was to expose it over HTTPs publicly:
provider "onepassword" {
url = "https://some-domain.com"
}
as I obviously need to allow terraform to be able to communicate with my one password connect server. However exposing this externally over HTTPs still feels risky.
Thoughts/comments from others who may have had this same issue welcome :) thanks!
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Comments
TL;DR - is it risky to have onepassword connector on a public URL? Has anyone else done this?
Team Member
Hi @sarahthekey:
We're currently exploring 1Password Service Accounts, which might be a better fit for this use case, rather than having to expose the 1Password Connect Kubernetes Operator to the public internet.
Jack
Hi Jack, that sounds interesting thanks for the info. Do you have an idea on rough timelines for this?