PBM-1268 Securely Store CLI Credentials using systemd#348
PBM-1268 Securely Store CLI Credentials using systemd#348rasika-chivate merged 30 commits intomainfrom
Conversation
rasika-chivate
temporarily deployed
to
PBM-1268-Securely-Store-CLI-Credentials-using-systemd - pbm-docs PR #348
Render
Destroyed
rasika-chivate
temporarily deployed
to
PBM-1268-Securely-Store-CLI-Credentials-using-systemd - pbm-docs PR #348
Render
Destroyed
There was a problem hiding this comment.
Pull request overview
Adds documentation for securing PBM agent/CLI credentials using systemd’s encrypted service credentials, and surfaces that guidance from the existing authentication docs.
Changes:
- Add a new install guide describing how to encrypt PBM connection configuration with
systemd-credsand load it viaLoadCredentialEncrypted. - Link the new guide into the MkDocs navigation under “Set up and configure”.
- Add a security warning to discourage plaintext credential storage in environment files.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| mkdocs-base.yml | Adds the new systemd-credentials guide to the left-nav. |
| docs/install/secure-credentials-systemd.md | New procedural documentation for using systemd encrypted credentials with pbm-agent. |
| docs/install/configure-authentication.md | Adds a warning recommending systemd credentials over plaintext env vars. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
rasika-chivate
temporarily deployed
to
PBM-1268-Securely-Store-CLI-Credentials-using-systemd - pbm-docs PR #348
Render
Destroyed
|
@rasika-chivate I've opened a new pull request, #349, to work on those changes. Once the pull request is ready, I'll request review from you. |
rasika-chivate
temporarily deployed
to
PBM-1268-Securely-Store-CLI-Credentials-using-systemd - pbm-docs PR #348
Render
Destroyed
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
@rasika-chivate Unfortunately I hit an unexpected error while processing your comment. I've automatically reported this to GitHub. You can ask me to try again later by mentioning me in a new comment. If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: Sorry for the inconvenience! |
|
@rasika-chivate Unfortunately I hit an unexpected error while processing your comment. I've automatically reported this to GitHub. You can ask me to try again later by mentioning me in a new comment. If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: Sorry for the inconvenience! |
3 similar comments
|
@rasika-chivate Unfortunately I hit an unexpected error while processing your comment. I've automatically reported this to GitHub. You can ask me to try again later by mentioning me in a new comment. If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: Sorry for the inconvenience! |
|
@rasika-chivate Unfortunately I hit an unexpected error while processing your comment. I've automatically reported this to GitHub. You can ask me to try again later by mentioning me in a new comment. If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: Sorry for the inconvenience! |
|
@rasika-chivate Unfortunately I hit an unexpected error while processing your comment. I've automatically reported this to GitHub. You can ask me to try again later by mentioning me in a new comment. If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: Sorry for the inconvenience! |
|
@rasika-chivate Unfortunately I hit an unexpected error while processing your comment. I've automatically reported this to GitHub. You can ask me to try again later by mentioning me in a new comment. If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: Sorry for the inconvenience! |
…s to other credentials Agent-Logs-Url: https://github.com/percona/pbm-docs/sessions/67e80530-fa05-4022-bb93-dc886f07bd31 Co-authored-by: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| [Service] | ||
| LoadCredentialEncrypted=pbm_connection.yaml:/path/to/pbm_connection.yaml.cred | ||
| PrivateMounts=yes | ||
| ExecStart=/usr/bin/pbm-agent -f %d/pbm_connection.yaml |
There was a problem hiding this comment.
Step 4 references an “earlier How to find the environment file section”, but that section doesn’t exist on this page. Please either link directly to the relevant section in configure-authentication.md (or another page), or rephrase/remove the reference so the instructions are self-contained.
There was a problem hiding this comment.
@copilot apply changes based on this feedback
There was a problem hiding this comment.
Removed the reference to the non-existent section. Step 4 now directly lists the distro-specific paths: /lib/systemd/system/pbm-agent.service for Debian/Ubuntu and /usr/lib/systemd/system/pbm-agent.service for RHEL-based distributions. Committed in 46db4f5.
| 4. Edit the systemd unit file (for example, `/lib/systemd/system/pbm-agent.service` or `/usr/lib/systemd/system/pbm-agent.service`, depending on your distribution; see the earlier *How to find the environment file* section) and in the `[Service]` section, add the `LoadCredentialEncrypted` and `PrivateMounts` directives: | ||
|
|
||
| ``` | ||
| [Service] | ||
| LoadCredentialEncrypted=pbm_connection.yaml:/path/to/pbm_connection.yaml.cred |
There was a problem hiding this comment.
The wording “Securely delete the plain text file” is stronger than what shred can guarantee on some filesystems (e.g., copy-on-write / journaling). Consider softening this to “remove”/“best-effort overwrite” and/or add a brief note that secure deletion depends on filesystem/storage characteristics.
There was a problem hiding this comment.
@copilot apply changes based on this feedback
https://github.com/percona/pbm-docs into PBM-1268-Securely-Store-CLI-Credentials-using-systemd
Agent-Logs-Url: https://github.com/percona/pbm-docs/sessions/2c98a8a1-351d-4633-920e-5f3b7ca033a5 Co-authored-by: rasika-chivate <95711051+rasika-chivate@users.noreply.github.com>
https://github.com/percona/pbm-docs into PBM-1268-Securely-Store-CLI-Credentials-using-systemd
rasika-chivate
temporarily deployed
to
PBM-1268-Securely-Store-CLI-Credentials-using-systemd - pbm-docs PR #348
Render
Destroyed
| Storing credentials in plaintext significantly increases the risk of compromise. Secrets placed in configuration files or environment variables can be exposed through: | ||
|
|
||
| - File access | ||
| - Process inspection (e.g., `ps`, `/proc`) |
There was a problem hiding this comment.
should this be fixed according to Vale's suggestion?
radoslawszulgo
left a comment
radoslawszulgo
left a comment
There was a problem hiding this comment.
looks good to me.
Securely Store PBM Agent and CLI Credentials using systemd Service Credentials.
For a deeper dive into the details, check out the ticket here:
Explore the ticket for PBM-1268 and get all the insights you need!