I would like to create resources for my customers but keep the state in my own OSS backend, that is I will use secret token of my customers to create resources (control provider), and use my secret to upload the state (control OSS backend).
Because write secrets in plaintext is unsafe, so I would like to export secrets (like export ALICLOUD_ACCESS_KEY= “xxx”). However, I don’t know how to export one secret for controlling OSS backend, and export the other secret for controlling provider.
Could someone help me how to solve it?
I write secrets in plaintext in backend config, could attackers write the hcl code in tf file that they can get the backend config and write the secrets back in the output.
so you have two set of credentials, customer credential and your own.
you want to use your own to access the OSS backend, but use the customer credential to do provisioning.
if you can use two ways to provide credentials, then you should be good. eg:
on a ECS box that’s owned by you, you can use asume role to access OSS backend, then use environment variables to provide credential to the provider.
well, if they get access to the OSS backend, they will be able to retrieve all statefiles which would have lots of sensitive info. I would treat the security of statefile as a top priority.