Bucket password in sync gateway config file

Hi,

We use password-protected buckets. To set up sync gateway access to the bucket, the password needs to be specified, as plain text, in the config file. Is there anyway to specify the password separately? The config file contains code in the sync function, and we want to store it in git with the rest of our code. We don’t really want to fix the password in the code as this makes it difficult to have different passwords in different installations.

Our current thought is to rewrite the config file on startup, injecting the password from somewhere else (a different config, a command line parameter or whatever). Is there a better way?

Here is an example config file to illustrate:

{
    "log":["CRUD+", "REST+", "Changes+", "Attach+"],
    "databases": {
        "mybucket": {
            "server": "http://localhost:8091",
            "username": "mybucket",
            "password": "canWeMoveThisOutOfHere?",
            [.....[
         }
      }
}

Would being able to have environment variable substitution in the config file satisfy your requirement?

Hi Traun,

Yes, env variable substitutions would help. I have now written a simple script to perform the substitutions I need to create a new config file, which is working, but it would be cleaner if env vars were possible.

Thanks,
Giles

Hi Giles,

We have a similar issue where we cannot store passwords in plain text on the system. Does your script simply update the config file before launching? If so, this doesn’t really help us since we need to dynamically load the password.

Couchbase, what is your recommended best practice from a security standpoint?

Any guidance here would be appreciated!

@gregory.st.clair How are you dynamically loading the password? Is it something like Vault or CyberArk?

If plaintext passwords are not suitable, would X.509 certificate authentication work instead?
Support for X.509 auth is in Couchbase Server 5.5 and coming to Sync Gateway in 2.1

https://blog.couchbase.com/x-509-certificate-based-authentication/

Yes, my script updates the config file. It reads the password from a different config file then reads an SG template config, replaces the password (and bucket name) placeholders and writes the correct SG config file before starting SG. This is all done from a single "start_sync_gateway’ script.

I don’t see how this wouldn’t work with dynamically loaded passwords, unless you mean the password is loaded/changed after SG starts? This isn’t the case for my system.

Obviously plaintext passwords in the SG config file are not ideal, but I’m going with it. Maybe will look at X.509 auth when we next upgrade SG.