Add security considerations for managing secrets (#7388)

* Update security-considerations.md * Update egress-configuration.md * Update configuration-sources.md * Update security-considerations.md * Update documentation/security-considerations.md Co-authored-by: Joe Schmitt <[email protected]> --------- Co-authored-by: Joe Schmitt <[email protected]>
dotnet · Oct 2, 2024 · 56fa498 · 56fa498
1 parent 2ac5056
commit 56fa498
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 1 deletion.
diff --git a/documentation/configuration/configuration-sources.md b/documentation/configuration/configuration-sources.md
@@ -1,5 +1,8 @@
 # Configuration Sources
 
+> [!IMPORTANT]
+> See [Security Considerations](../security-considerations.md#storing-configuration-secrets) for important information regarding specifying secrets in configuration.
+
 `dotnet monitor` can read and combine configuration from multiple sources. The configuration sources are listed below in the order in which they are read (first is lowest precedence, last is highest precedence):
 
 - Command line parameters

diff --git a/documentation/configuration/egress-configuration.md b/documentation/configuration/egress-configuration.md
@@ -2,6 +2,9 @@
 
 When `dotnet-monitor` is used to produce artifacts such as dumps or traces, an egress provider enables the artifacts to be stored in a manner suitable for the hosting environment rather than streamed back directly.
 
+> [!IMPORTANT]
+> See [Security Considerations](../security-considerations.md#storing-configuration-secrets) for important information regarding specifying secrets in configuration.
+
 ## Azure blob storage egress provider
 
 | Name | Type | Required | Description |

diff --git a/documentation/security-considerations.md b/documentation/security-considerations.md
@@ -17,6 +17,20 @@ When using Azure Active Directory for authentication, the following noteworthy p
 - `roles` will be validated to make sure that the `RequiredRole` configuration option is present.
 - Properties relating to the lifetime of the token will be validated.
 
-## Item 2
+## Storing Configuration Secrets
+
+It is **not recommended** to store secrets such as blob storage keys in JSON configuration. The following are recommendations for how to more securely store your configuration secrets for different platforms:
+
+### Locally
+
+When running locally, a preferred alternative is to specify secrets via environment variables when launching `dotnet monitor`. The following is an example using PowerShell, setting the value of `AzureBlobStorage__monitorBlob__AccountKey` prior to beginning collection:
+
+```pwsh
+$env:Egress__AzureBlobStorage__monitorBlob__AccountKey = "accountKey"; dotnet-monitor collect
+```
+
+### Kubernetes
+
+For Kubernetes, a preferred alternative is to mount your secrets in the file system with restricted access - for more information and an example of how to do this, view the [Kubernetes documentation](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#create-a-pod-that-has-access-to-the-secret-data-through-a-volume). For additional information on how secrets work in Kubernetes, view the following [documentation](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#create-a-secret).
 
 ## Item 3