Feature: Make it possible to reference secrets from other projects about infisical HOT 5 CLOSED

@Icaruk what would you say is the main use case for this? Why do you usually need to reference secrets from other projects?

email_secrets:

• EMAIL_USER: ****
• EMAIL_PASS: ****

api_secrets:

• EMAIL_USER: ${email_secrets.EMAIL_USER}
• EMAIL_PASS: ${email_secrets.EMAIL_PASS}

worker_secrets:

• EMAIL_USER: ${email_secrets.EMAIL_USER}
• EMAIL_PASS: ${email_secrets.EMAIL_PASS}

Easy to change or rotate shared passwords, tokens, etc...

from infisical.

Not sure how it would work if other people are not part of a certain project

Maybe just allow to reference projects you have access to.

from infisical.

With release of Secret Reference You can now reference secret from same environment or another environment and another folder.

Closing this issue as its now been resolved

from infisical.

@Icaruk what would you say is the main use case for this? Why do you usually need to reference secrets from other projects?

from infisical.

Here's an explanation about some use cases I've made in DM on Slack :

Allowing us to edit one secret in a "global" project and child project will automatically point to that new value
Here's how "global" project works (at least how I'm using it) :

# global project (dev config, rbac to only admin/authorized members)
API_STRIPE_URL=https://api.stripe.com/v1
API_STRIPE_KEY=xxxxxxxxxx-xxxxx-xxxxxxxx
PROJECT_CONFIG=dev

# A project (env names can be different, as long as the reference points to the correct secret)
STRIPE_URL=${global.dev.API_STRIPE_URL}
STRIPE_SECRET=${global.dev.API_STRIPE_KEY}
OHTER_VAR=foobar

# B project
API_URL=${global.dev.API_STRIPE_URL}
API_SECRET=${global.dev.API_STRIPE_KEY}
APP_ENV=${global.dev.PROJECT_CONFIG}
OHTER_VAR=foobar

Not tested yet on Doppler. Scoping developers' permissions to only given configs/environments secrets, so we could grant them read-only access to given config/environment to only fetch referenced secrets from projects where they're authorized (read-only).

Suggestion, user Bob have read-only permission on the "global" project but only for the dev config/environment :

# global project (dev config, rbac to only admin/authorized members)
# bob : read-only
API_STRIPE_URL=https://api.stripe.com/v1
API_STRIPE_KEY=dev-xxxxxxx-xxxxx-xxxxxxxx
PROJECT_CONFIG=dev

# global project (stg config, rbac to only admin/authorized members)
# bob : no permissions
API_STRIPE_URL=https://api.stripe.com/v1
API_STRIPE_KEY=stg-xxxxxxx-xxxxx-xxxxxxxx
PROJECT_CONFIG=stg

# A project (dev config)
# bob : can fetch the referenced secrets and override those values locally if needed
STRIPE_URL=${global.dev.API_STRIPE_URL}
STRIPE_SECRET=${global.dev.API_STRIPE_KEY}
OHTER_VAR=foobar

# A project (dev config, if bob wants to try to get the stg/prd secrets)
# bob : can't fetch the referenced secrets but can still override those values locally if needed
STRIPE_URL=${global.stg.API_STRIPE_URL} # empty (can't access)
STRIPE_SECRET=${global.stg.API_STRIPE_KEY} # empty (can't access)
OHTER_VAR=foobar # can access

I hope those text schema are clear enough, let me know if you'd prefer a visual diagram ✌️

from infisical.