Follow-up from epic #40 / PR #57. A full credential env-var audit was
explicitly deferred when the narrow 12-factor scope landed.
Scope
Audit every place flapi reads a credential from the environment, plus
every `{{env.VAR}}` substitution path through YAML, and produce one
canonical inventory.
Specifically:
- Read every credential code path:
- AWS: `credential_manager.cpp` (`AWS_ACCESS_KEY_ID`,
`AWS_SECRET_ACCESS_KEY`, `AWS_REGION`, `AWS_SESSION_TOKEN`,
`AWS_PROFILE`, ...)
- GCS: `GOOGLE_APPLICATION_CREDENTIALS`,
`GOOGLE_CLOUD_PROJECT`
- Azure: `AZURE_STORAGE_CONNECTION_STRING`,
`AZURE_STORAGE_ACCOUNT`, `AZURE_STORAGE_KEY`
- flapi-specific: `FLAPI_CONFIG_SERVICE_TOKEN`,
`FLAPI_NO_TELEMETRY`, `FLAPI_CONFIG`, `FLAPI_LOG_LEVEL`
- YAML interpolation: `{{env.VAR}}` against
`environment-whitelist`
- Cross-reference against the AWS / GCP / Azure SDK docs to find
credentials we don't read but ought to (e.g. `AWS_ROLE_ARN` for
IRSA, `GCE_METADATA_HOST` for VMs).
- Document the inventory in
`docs/CONFIG_REFERENCE.md` § "12-factor checklist" + the
landing-page `docs/tools/server-cli.md` env-vars table.
- Decide whether to read any additional env vars (or surface
warnings when a likely-mistyped variant is set — e.g.
`AWS_ACCESS_KEY` without the `_ID` suffix).
Why
The "secrets stay out of the bundle" invariant from self-packaging
relies on env-var credential delivery. Today the surface is partly
implicit (DuckDB extensions read their own env vars; flapi doesn't
gatekeep). A single authoritative inventory makes the contract
auditable for security review.
Acceptance
- Inventory table in `docs/CONFIG_REFERENCE.md`.
- Mirror in `flapi-landingpage` server-cli + deployment env-vars
tables.
- Optional: warnings for common typos at startup.
References
Follow-up from epic #40 / PR #57. A full credential env-var audit was
explicitly deferred when the narrow 12-factor scope landed.
Scope
Audit every place flapi reads a credential from the environment, plus
every `{{env.VAR}}` substitution path through YAML, and produce one
canonical inventory.
Specifically:
`AWS_SECRET_ACCESS_KEY`, `AWS_REGION`, `AWS_SESSION_TOKEN`,
`AWS_PROFILE`, ...)
`GOOGLE_CLOUD_PROJECT`
`AZURE_STORAGE_ACCOUNT`, `AZURE_STORAGE_KEY`
`FLAPI_NO_TELEMETRY`, `FLAPI_CONFIG`, `FLAPI_LOG_LEVEL`
`environment-whitelist`
credentials we don't read but ought to (e.g. `AWS_ROLE_ARN` for
IRSA, `GCE_METADATA_HOST` for VMs).
`docs/CONFIG_REFERENCE.md` § "12-factor checklist" + the
landing-page `docs/tools/server-cli.md` env-vars table.
warnings when a likely-mistyped variant is set — e.g.
`AWS_ACCESS_KEY` without the `_ID` suffix).
Why
The "secrets stay out of the bundle" invariant from self-packaging
relies on env-var credential delivery. Today the surface is partly
implicit (DuckDB extensions read their own env vars; flapi doesn't
gatekeep). A single authoritative inventory makes the contract
auditable for security review.
Acceptance
tables.
References