On Backlog

Provide proper place to store secrets & configuration

Related products:AIMMS PRO On-Premise & AIMMS Cloud

Forum|Forum|2 years ago
October 27, 2023
8 replies
128 views

sandervlot
AIMMS Partner

Hi, there are quite some environment-dependent configurations and secrets (database passwords, API keys) that are required for running AIMMS apps. Currently, I see modelers:

Storing those secrets unencrypted in the AIMMS Central Storage. This is obviously not very secure.
Including those secrets in their AIMMSpack. This has the downside that you need to create separate AIMMSpacks for test & production environments, which I would consider a bad practice. Furthermore, in this situation you cannot create an AIMMSpack based on your git repo: you also need files outside of that repo (since secrets shouldn't be in git). This is risky and might (at some point) also hinder CI/CD practices.

It would be nice to have a proper way to store secrets and configurations. For example, with Azure Key Vault (or something similar).

Jan-Willem
AIMMSian
Forum|Forum|2 years ago
November 15, 2023

Again Sander, thanks for bringing this up. It is not the first time we hear about it. We will also look into this one, exploring what options we have.

I was assuming that with a trend towards 'bring your own ID/authorization’, the need to store secrets would eventually get less. But that assumption might be wrong.

Regards,

Jan-Willem

Jan-Willem
AIMMSian
Forum|Forum|1 year ago
February 23, 2024

Just an update: We have started refining this and look for options. We wrote the following, sofar:

Enabling our app developers (=customers) to store app-related secrets on our cloud platform: probably a technical solution and user documentation.

Typical use cases: database credentials, storage access keys.

Requirements:

AIMMS running inside a pod can retrieve a secret needed by the app
CRUD on secrets
Must-have: at cloud customer account level
Could-have: at application-role level (later)

Possible solution 1:

Key Vault per cloud customer account
Managed Identity per cloud customer account
K8s Service Account to which the Managed Identity is linked through an environment variable
This will give the pod API access to the Key Vault
Provide an AIMMS library for Key Vault access

Possible solution 2:

Store customer-account-specific JSON files with secrets into our ‘central’ Key Vault
Provide that JSON file as environment to the application running inside the pod
Provide to app developers an API for CRUD on application secrets

Next step is technical refinement/design and then estimation of the effort required. But please let us know what you think sofar.

Jan-Willem

Jan-Willem
AIMMSian
Forum|Forum|1 year ago
February 23, 2024

New→On Backlog

Jan-Willem

sandervlot
Author
AIMMS Partner
Forum|Forum|1 year ago
March 1, 2024

Hi Jan Willem, thanks for the update. For me, this request is (functionally) linked to this request:

For that to succeed, I think that also the application level is needed (not only customer account level). (And indeed, application + role level would even be nicer.)

The technical implementation is outside of my area of expertise, so I’ll leave that up to you.

Jan-Willem
AIMMSian
Forum|Forum|1 year ago
March 3, 2024

You may well be right Sander. Thanks.

Jan-Willem

Jan-Willem
AIMMSian
Forum|Forum|1 year ago
June 23, 2024

Sander, this item is on our ‘workbench’, trying to come up with a design, amidst some other projects.

Jan-Willem

Jan-Willem
AIMMSian
Forum|Forum|7 months ago
April 17, 2025

Latest update: this has been planned for the current Program Increment, expecting a release in Q2 2025.

Jan-Willem

Jan-Willem
AIMMSian
Forum|Forum|4 months ago
July 30, 2025

Unfortunately this got pushed back as other matters took priority. It is now due for release by 18 August.

Apologies for the delay.

Jan-Willem

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded