Add support for environment variables

Question

Add support for environment variables

Shleif91 opened this issue a year ago · comments

Oleg commented a year ago

Add support for environment variables. Very relevant for username and password

James McKinney · Answer 1 · Thu Apr 13 2023 04:52:56 GMT+0800 (China Standard Time)

What is the issue with storing the username/password in the configuration file?

James McKinney · Answer 2 · Thu Apr 13 2023 04:54:43 GMT+0800 (China Standard Time)

Duplicate #303

ankur · Answer 3 · Sat Jul 01 2023 16:17:54 GMT+0800 (China Standard Time)

Would also like this feature. It is necessary for CI/CD deployment.

James McKinney · Answer 4 · Sat Jul 01 2023 23:08:23 GMT+0800 (China Standard Time)

You can do CI/CD deployment without Scrapyd having support for environment variables, like in #303 (comment)

ankur · Answer 5 · Sun Jul 02 2023 00:07:51 GMT+0800 (China Standard Time)

Our scrapy script uploads to AWS S3. Wouldn't this method require writing our keys into a plaintext file? Likewise, if the scrapy relies on a database connection URL, then it would have to be written to plaintext for an egg to access it via scrapyd. If an attacker gains access to the server, it means secrets can be stolen.

James McKinney · Answer 6 · Sun Jul 02 2023 01:18:44 GMT+0800 (China Standard Time)

Plaintext files like /etc/shadow or private SSH keys stored in .ssh directories are not inherently insecure. You can use the filesystem's permissions and ownership features to protect such files.

If an attacker gains root access to your server, they can just as easily run cat /proc/PID/environ to read the environment variables from any process (change PID to the process ID). Environment variables are not any more secure.

James McKinney · Answer 7 · Tue Sep 26 2023 03:26:31 GMT+0800 (China Standard Time)

Closing as need for envvar support (versus writing files) is unclear.