Any way to hide database migration passwords from the main app?

Questions / Help
1

I’ve set up my main webserver to use a Postgres role that only has permission to make the database changes that it really needs to make. Those permissions aren’t enough to create tables, but of course the database migration script that runs via release_command during deployment does need to be able to create tables.

It’s straightforward to define a DB_MIGRATE_DATABASE_URL secret in the app and use that in the release_command, but then that secret stays available while the main webserver is running. Similarly, I can set a --build-secret for use inside the Dockerfile, but the only way to pass that to the release_command seems to be to write it somewhere in the image, which is also available to the main webserver.

Is there any way to give an extra secret to just the release_command?

(It’s possible that I’m just being overcautious here, and if an attacker manages to get into the webserver, I need to treat them as having full access to the database even if they theoretically didn’t have that password.)

1 Like
2

I would suggest just deleting that key from the the environment variables in your main webserver app on start up. That is literally what I do with my apps as soon as any sensitive envar key is no longer needed. Having that envar is only a problem if you spawn subprocesses or dump the envars in a log when there is an exception or something. If you delete sensitive keys during app initialization, neither of these things is an issue.

1 Like
3

I wasn’t sure deleting the Node-level env var would actually delete it from the process’s memory, but node/src/node_env_var.cc at 1a5acd0638579e687dde128cc6d4effe3ab070d1 · nodejs/node · GitHub does appear to actually call down to unsetenv. If any Worker threads have been created, it looks like the value will still be available to Spectre, but if I can delete it early enough, this seems sufficient. Thanks!

1 Like
4

From How To to Questions / Help

5

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.