Keep bouncer API as a secret?
This may sound dumb, but does the API key of a bouncer has to be kept private or is it fine if it can be public seen?
My LAPI and the bouncers are running on the same host
5 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
What do you mean by "public" seen?
my dotfiles are public
hence my crowdsec setup can be seen public as well
I have a secret management tool which encrypts them and decrypts them during build time
but since I couldn't find a way to give the path to the decrypted secrets to my bouncers, I think I'll have to publish the api keys
but just to be sure: I'm only hosting my crowdsec stuff on one host, hence the LAPI is on the same host and I've set it to
127.0.0.1:8080 so I think it should be save to publish my keys
however there might be a mistake in my thoughts so I'm asking hereYou can supply environment keys using
${VAR} in the yaml but depending on how you have installed the services you need to modify or extend the systemd service to inject the environment variable into the sandboxed service.well that doesn't make it that much prettier
because I'm on NixOS and there I'd have to ad the environment variables in my config as well