Agenix secrets readable by two or more users

Hi,

In my config, two users need to access to the same secret (mysql pwd in fact, is needed by mysql and by phpfpm user).

My current solution is to define two age secrets with the same file but with different user.

    age.secrets = {
      "${app}.mysql.pwd" = {
        file = ../../machines/${hostName}/secrets/${app}/${app}.mysql.pwd;
        owner = "mysql";
      };
      "${app}.phpapp.pwd" = {
        file = ../../machines/${hostName}/secrets/${app}/${app}.mysql.pwd;
        owner = "${app}";
      };
    };

Is there an easier way of doing this ?

By adding the users to a specific group?

I thought about it, but I’m going to have a group just for read one file. I’m not sure I can call that a simplification :thinking:

BTW I’m using file_get_contents to read the password with php.
I case anyone wants to use the same method, you have to trim the result, because file_get_contents adds a whitespace at the end of the result.

$content = file_get_contents('/run/agenix/mysql.pwd');
echo $content === trim($content) ? 'No whitespace found' : 'Whitespace found';
// result is Whitespace found

The permission system has 3 levels of access, users groups and others. So you can use the same user, the same group, or make it readable for everyone on the system (last is likely the worst option).

So if you don’t want to have a common group you need to use the same user, if you don’t want to place the same secrets out of the same encrypted file (which is the option you have).

Another possible option: use systems for credentials here. With that you can keep the decrypted credentials als root user and systemd makes them readable for your units. But that also just is a reasonable option if you can/want to run everything thru systemd.
See that option systemd.exec

2 Likes