Skip to content

Commit

Permalink
Clarify synthetics params / secrets docs (#3691) (#3694)
Browse files Browse the repository at this point in the history 
+ Clarify and add additional details to section on synthetics security / working with sensitive values. Also document how synthetics app privileges can be used for accessing these values.

(cherry picked from commit 36be295)

Co-authored-by: Vignesh Shanmugam <vignesh.shanmugam22@gmail.com>
  • Loading branch information
@mergify @vigneshshanmugam
mergify[bot] and vigneshshanmugam authored Mar 21, 2024
1 parent 11d5892 commit 7fdf1d5
Showing 1 changed file with 11 additions and 4 deletions.
15 changes: 11 additions & 4 deletions docs/en/observability/synthetics-params-secrets.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,12 @@
[[synthetics-params-secrets]]
= Work with params and secrets

Params allow you to use dynamically defined values, including sensitive information, in your
synthetic monitors. For example, you may want to test a production website with a particular
Params allow you to use dynamically defined values in your synthetic monitors.
For example, you may want to test a production website with a particular
demo account whose password is only known to the team managing the synthetic monitors.

For more information about security-sensitive use cases, refer to the <<synthetics-secrets-sensitive, documentation about sensitive values>>.

[discrete]
[[synthetics-params-secrets-define]]
= Define params
Expand Down Expand Up @@ -148,11 +150,16 @@ Your synthetics scripts may require the use of passwords or other sensitive secr

[WARNING]
====
Because synthetics scripts have no limitations, a malicious script author could write a
synthetics journey that exfiltrates `params` and other data at runtime.
Params are viewable in plain-text by administrators and other users with `all` privileges for
the Synthetics app.
Also note that synthetics scripts have no limitations on accessing these values, and a malicious script author could write a
synthetics journey that exfiltrates `params` and other data at runtime.
Do *not* to use truly sensitive passwords (for example, an admin password or a real credit card)
in *any* synthetics tools.
Instead, set up limited demo accounts, or fake credit cards with limited functionality.
If you want to limit access to parameters, ensure that users who are not supposed to access those values
do not have `all` privileges for the Synthetics app, and that any scripts that use those values
do not leak them in network requests or screenshots.
====

If you are managing monitors with projects, you can use environment variables
Expand Down

0 comments on commit 7fdf1d5

Please sign in to comment.