Working with api secrets

Hallo,

Within our company we are rethinking our way we handle api and other secrets/keys. We consider a centralized (cloud) storage to manage the keys. But that is not the main issue we are unsure about.

We have the following situation which we are not sure yet on how to resolve:

  • A test plan can have multiple plugin/instruments that require a secret/key
  • User should only be requested once to login (and handle the key/secret retrieval etc.)
  • Ideally the user does not have to login per plugin/instrument

We are considering making a separate plugin to handle all the login and key/secret stuff. And then let this plugin insert them into the instruments that need said keys (not exactly if this is a desired way).

The exact moment when to handle the login is not determined yet. We consider it during the opening of instruments, but we expect issues with instruments using said keys.

Im mainly interested in how others manage their keys/secrets inside OpenTap/testplans. Or what an approach would be to achieve our goal.

Thanks in advance.

Hallo,

Below is what we eventually went with:

We eventually choose to use Azure key vault to store the secrets them selfs. This is chosen because we are already using Azure for other products.

A instrument is made that will retrieve the secrets based on their name. When the testplan/settings are made the developer has to add these to a list. The names are not considered sensetive information.
The instrument will, during Open(), retrieve the secrets from the vault after authorization. Next the instrument will check the instument/result listener settings for a known variable (A private get, such that it does not show up in the editor, nor bench settings) and set the secret.

Instruments/result listeners that require a secret will wait for it to be set, with a timeout. After which they will follow normal operation.

We are aware that in theory you can mimic a instrument in order to obtain the secrets. But that would require a company login and access to the systems/software. Which we find a reasomable compromise for now.

I mainly put it out here to provide a sollution to those with a similair issue.
Feel free to mention improvements.