I have my credential stored in AWS Secret Manager, use a PutLamda to retrieve it and send it to a jsonextract and then invokehttp processor where I use the credentials in the body of a post message to get a bearer token.
Between those processors the secret travels in plaintext. Is there a way to hide the credentials?
The idea is to rotate the credentials on aws and the only way to view those is using aws console, doing this we can log the access to the secret, when and who.
Sorry for the bump, but I am very courious of how everyone handles this kind of *possible* security issues.
As soon as you retrieve the json from which you later extract the sensitive values, those sensitive values are available/readable by anyone who has access to view the content of a FlowFile. Even if you restrict user access so they can not view the FlowFile content, once you extract those sensitive values to FlowFile attributes they become exposed further. There is currently no methods within NiFi for encrypting FlowFile attributes. Doing so would also require any downstream processor in which you would want use those encrypted attributes to be able to understand that it is a sensitive value and decrypt it for use. Bottom line here, is that the capability you are looking for does not exist within NiFi right now.
This sounds like a new development opportunity/contribution maybe. Perhaps a new NiFi controller service that handles pulling the credentials from the AWS Secret Manager and obtaining the JWT token without writing anything to the FlowFIle's attributes or content. Then any processor you would want to use this new CS in would need to be extended to support the new capability. I am not a developer myself, but this sound like non-trivial work.
@alopresto might have some thoughts to add here.