Hello,I currently have some workbenches which access APIs and hence have secrets within them, which is fine when this is secured on FME Flow. I also want to set up version control, and have all of my workbenches uploaded to remote repo, GitHub. TLDR: How can I secure my API secrets on GitHub?So far I’ve looked into:encrypting my workbenches https://support.safe.com/hc/en-us/articles/25407644298637-Password-Protection-for-FME-Workspaces this seems OK, but doesnt truly secure the api secrets, it does add a level of security but it could be better Storing my API keys as published parameters on FME Flow this may be hard to manage, especially when trying to run/debug/design any API workflows if a user/developer accidentally hits ‘save parameters’, then this method will likely be redundant can become messy and difficult to manage in general Would setting up the secret as a password parameter within the workbench encrypt it in the .fmw? Will a password protected workbench still work on FME Flow? What other options do I have?Thanks.

You have a few options:Password-protect the workspace: this encrypts the entire fmw, so secrets can’t be accessed by opening it in Workbench or a text editor. Note that the password is only required to open/edit the workspace, not to run it. So you’ll be able to use it on FME Flow.Use an FME Web Connection: this is the recommended way to handle credentials. The connection details are stored securely on FME Flow and won’t be included in what you push to GitHub.Externalize the secret: for example, store it in a local file (excluded from version control) or an environment variable, and make your workspace read it at runtime. This avoids publishing secrets but does require you to manage the security of that external storage yourself.

How to secure API secrets when using GitHub version control

Hello,

I currently have some workbenches which access APIs and hence have secrets within them, which is fine when this is secured on FME Flow.

I also want to set up version control, and have all of my workbenches uploaded to remote repo, GitHub.

TLDR: How can I secure my API secrets on GitHub?

So far I’ve looked into:

encrypting my workbenches
- https://support.safe.com/hc/en-us/articles/25407644298637-Password-Protection-for-FME-Workspaces
- this seems OK, but doesnt truly secure the api secrets, it does add a level of security but it could be better
Storing my API keys as published parameters on FME Flow
- this may be hard to manage, especially when trying to run/debug/design any API workflows
- if a user/developer accidentally hits ‘save parameters’, then this method will likely be redundant
- can become messy and difficult to manage in general

Would setting up the secret as a password parameter within the workbench encrypt it in the .fmw?

Will a password protected workbench still work on FME Flow?

What other options do I have?

Thanks.

Page 1 / 1

What about making the published parameter = Private

Unticking the Published

You also have the option “require Password Confirmation”.. but I’ve not seen this in use

You have a few options:

Password-protect the workspace: this encrypts the entire fmw, so secrets can’t be accessed by opening it in Workbench or a text editor. Note that the password is only required to open/edit the workspace, not to run it. So you’ll be able to use it on FME Flow.
Use an FME Web Connection: this is the recommended way to handle credentials. The connection details are stored securely on FME Flow and won’t be included in what you push to GitHub.
Externalize the secret: for example, store it in a local file (excluded from version control) or an environment variable, and make your workspace read it at runtime. This avoids publishing secrets but does require you to manage the security of that external storage yourself.

….

Externalize the secret: for example, store it in a local file (excluded from version control) or an environment variable, and make your workspace read it at runtime. This avoids publishing secrets but does require you to manage the security of that external storage yourself.

I’ve had lots of success doing this with things like Azure KeyVault and AWS KMS. the gist of it is:

Build a custom transformer that takes your key name and returns the secret
The Windows account being used is granted access to the key
The returned secret is then only used at run time
Keys can be rotated in the vault and no other updates are required

Community Stats

Latest FME

Community Stats

Latest FME

Sign up

An FME Account is required to contribute

Login to the community

An FME Account is required to contribute

Scanning file for viruses.

This file cannot be downloaded