[envvars] ease revealing a secret
Closed, ResolvedPublicFeature
Actions

Assigned To

Authored By

	DamianZaremba
	Sep 18 2025, 6:19 PM

Description

Feature summary (what you would like to be able to do and where):

Currently when trying to use a envvar from a user account (not in a pod/job), the output needs to be parsed prior to being usable e.g.

tools.cluebotng-review@tools-bastion-15:~$ toolforge envvars show TOOL_DB_HOST
name          value
TOOL_DB_HOST  gnvqgc6krq3.svc.trove.eqiad1.wikimedia.cloud

This can be done easily with jq e.g.

tools.cluebotng-review@tools-bastion-15:~$ toolforge envvars show TOOL_DB_HOST --json | jq -r .envvar.value
gnvqgc6krq3.svc.trove.eqiad1.wikimedia.cloud

However you end up needing to write things like

$ mysql \
  --disable-ssl=true \
  -h $(toolforge envvars show TOOL_DB_HOST --json | jq -r .envvar.value) \
  -u $(toolforge envvars show TOOL_DB_USER --json | jq -r .envvar.value) \
  -p$(toolforge envvars show TOOL_DB_PASSWORD --json | jq -r .envvar.value) \
  $(toolforge envvars show TOOL_DB_SCHEMA --json | jq -r .envvar.value)

Which is quite slow and verbose (it gets very fun when the value is json that you then want to parse)

Intuitively toolforge envvars show TOOL_DB_HOST would just give me the value as I already specified the key, so telling me the key I just tool the tool is a bit redundant... however that is the behaviour today, so we're probably stuck with it.

Having something like toolforge envvars reveal TOOL_DB_HOST or toolforge envvars show -r TOOL_DB_HOST which puts the literal value to stdout would reduce friction.

Use case(s) (list the steps that you performed to discover that problem, and describe the actual underlying problem which you want to solve. Do not describe only a solution):

Any ad-hoc command that requires secrets, such as mysql queries or http calls using access keys/passwords.

While mysql --defaults-file=replica.cnf exists for replica/tool-db this doesn't work for e.g. trove instances and some information e.g. schema names are not there, but in env data.

Today the only way to run this ad-hoc commands inside a container is with webservice shell, unfortunately when using a build pack web service image this conflicts with service.template

tools.cluebotng-review@tools-bastion-15:~$ webservice trixie shell -- mysql -h$TOOL_DB_HOST -u$TOOL_DB_USER -p$TOOL_DB_PASSWORD $TOOL_DB_SCHEMA
This --mount option is only supported for 'buildservice' type
Review the arguments passed and try again

It also messes with the tty quite a bit, which makes it not so great for scripting... and the database images are not valid webservice images, so you can't use mysql if it did work....

Benefits (why should this be implemented?):

Less processes run on bastion hosts
Quicker process execution, less resource usage on bastion hosts
Less frustration for maintainers
Cleaning tooling integrations

Details

Related Changes in GitLab:

Title	Reference	Author	Source Branch	Dest Branch
d/changelog: bump to 0.0.16	repos/cloud/toolforge/envvars-cli!100	raymond-ndibe	bump_envvars-cli	main
d/changelog: bump to 0.0.15	repos/cloud/toolforge/envvars-cli!97	dcaro	bump_envvars-cli	main
Change `show` command to output raw value	repos/cloud/toolforge/envvars-cli!92	damian	feature-show-only-value	main

Customize query in GitLab

Event Timeline

DamianZaremba created this task.Sep 18 2025, 6:19 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 18 2025, 6:19 PM

DamianZaremba added a project: Toolforge.Sep 18 2025, 6:19 PM

Restricted Application added a project: cloud-services-team. · View Herald TranscriptSep 18 2025, 6:19 PM

Quick note (will look the task better in a bit), you should avoid using the secrets in a command line, as that will be exposed to other users in the bastion.

For mysql from the bastion, you can use the sql script, or pass --defaults-file=~/replica.my.cnf to mysql so it reads the secrets from there.

In T405024#11202292, @dcaro wrote:

Quick note (will look the task better in a bit), you should avoid using the secrets in a command line, as that will be exposed to other users in the bastion.

This is a reasonable point for the casual observer, though the password can be passed through stdin and isn't really the heart of the issue here.

For mysql from the bastion, you can use the sql script, or pass --defaults-file=~/replica.my.cnf to mysql so it reads the secrets from there.

This is actually not the case here (Trove instance)

In T405024#11202383, @DamianZaremba wrote:

In T405024#11202292, @dcaro wrote:

Quick note (will look the task better in a bit), you should avoid using the secrets in a command line, as that will be exposed to other users in the bastion.

This is a reasonable point for the casual observer, though the password can be passed through stdin and isn't really the heart of the issue here.

Agree, I was making a quick note so it's clear that you should not use the environment variables in the cli for anyone that finds this task.

For mysql from the bastion, you can use the sql script, or pass --defaults-file=~/replica.my.cnf to mysql so it reads the secrets from there.

This is actually not the case here (Trove instance)

oh yep, trove is not (yet) well integrated with toolforge.

Intuitively toolforge envvars show TOOL_DB_HOST would just give me the value as I already specified the key, so telling me the key I just tool the tool is a bit redundant... however that is the behaviour today, so we're probably stuck with it.

I think it should be ok to only show the value with toolforge envvars show MYVAR

damian opened https://gitlab.wikimedia.org/repos/cloud/toolforge/envvars-cli/-/merge_requests/92

Change show command to output raw value