From 38162b7226b3448e6a2db3f921418fb80e5a443f Mon Sep 17 00:00:00 2001 From: Vignesh Shanmugam Date: Wed, 20 Mar 2024 20:41:32 -0700 Subject: [PATCH] Clarify synthetics params / secrets docs (#3691) + Clarify and add additional details to section on synthetics security / working with sensitive values. Also document how synthetics app privileges can be used for accessing these values. (cherry picked from commit 36be295146b21eba097cd37ee3c757f32c3016b4) --- .../synthetics-params-secrets.asciidoc | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/docs/en/observability/synthetics-params-secrets.asciidoc b/docs/en/observability/synthetics-params-secrets.asciidoc index 04acdcdd3a..fbd3247359 100644 --- a/docs/en/observability/synthetics-params-secrets.asciidoc +++ b/docs/en/observability/synthetics-params-secrets.asciidoc @@ -2,10 +2,12 @@ [[synthetics-params-secrets]] = Work with params and secrets -Params allow you to use dynamically defined values, including sensitive information, in your -synthetic monitors. For example, you may want to test a production website with a particular +Params allow you to use dynamically defined values in your synthetic monitors. +For example, you may want to test a production website with a particular demo account whose password is only known to the team managing the synthetic monitors. +For more information about security-sensitive use cases, refer to the <>. + [discrete] [[synthetics-params-secrets-define]] = Define params @@ -148,11 +150,16 @@ Your synthetics scripts may require the use of passwords or other sensitive secr [WARNING] ==== -Because synthetics scripts have no limitations, a malicious script author could write a -synthetics journey that exfiltrates `params` and other data at runtime. +Params are viewable in plain-text by administrators and other users with `all` privileges for +the Synthetics app. +Also note that synthetics scripts have no limitations on accessing these values, and a malicious script author could write a +synthetics journey that exfiltrates `params` and other data at runtime. Do *not* to use truly sensitive passwords (for example, an admin password or a real credit card) in *any* synthetics tools. Instead, set up limited demo accounts, or fake credit cards with limited functionality. +If you want to limit access to parameters, ensure that users who are not supposed to access those values +do not have `all` privileges for the Synthetics app, and that any scripts that use those values +do not leak them in network requests or screenshots. ==== If you are managing monitors with projects, you can use environment variables