Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How to handle credentials in a flowfile?

Highlighted

How to handle credentials in a flowfile?

Explorer

I have my credential stored in AWS Secret Manager, use a PutLamda to retrieve it and send it to a jsonextract and then invokehttp processor where I use the credentials in the body of a post message to get a bearer token.

Between those processors the secret travels in plaintext. Is there a way to hide the credentials?

The idea is to rotate the credentials on aws and the only way to view those is using aws console, doing this we can log the access to the secret, when and who.

Thank you!

 

2 REPLIES 2
Highlighted

Re: How to handle credentials in a flowfile?

Explorer

Sorry for the bump, but I am very courious of how everyone handles this kind of *possible* security issues.

Thanks!

Re: How to handle credentials in a flowfile?

Master Guru

@Alexandros 

 

As soon as you retrieve the json from which you later extract the sensitive values, those sensitive values are available/readable by anyone who has access to view the content of a FlowFile.  Even if you restrict user access so they can not view the FlowFile content, once you extract those sensitive values to FlowFile attributes they become exposed further.  There is currently no methods within NiFi for encrypting FlowFile attributes.  Doing so would also require any downstream processor in which you would want use those encrypted attributes to be able to understand that it is a sensitive value and decrypt it for use.  Bottom line here, is that the capability you are looking for does not exist within NiFi right now.

This sounds like a new development opportunity/contribution maybe.  Perhaps a new NiFi controller service that handles pulling the credentials from the AWS Secret Manager and obtaining the JWT token without writing anything to the FlowFIle's attributes or content.  Then any processor you would want to use this new CS in would need to be extended to support the new capability.  I am not a developer myself, but this sound like non-trivial work.

@alopresto might have some thoughts to add here.

Thanks,

Matt

Don't have an account?
Coming from Hortonworks? Activate your account here