From 630fffe29438fb5a2b9f4eea1d6ad211763cc2bf Mon Sep 17 00:00:00 2001 From: Jonathan Clift Date: Thu, 29 Feb 2024 17:23:15 +0000 Subject: [PATCH 1/3] Small udpates to explain additional permissions instance owners and admins now have --- docs/external-secrets.md | 6 ++++++ docs/user-management/account-types.md | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/external-secrets.md b/docs/external-secrets.md index 7e0aa205f..c37645233 100644 --- a/docs/external-secrets.md +++ b/docs/external-secrets.md @@ -70,3 +70,9 @@ For example, you have two n8n instances, one for development and one for product ### Infisical version changes Infisical version upgrades can introduce problems connecting to n8n. If your Infisical connection stops working, check if there was a recent version change. If so, report the issue to help@n8n.io. + +### External secrets should only be set on credentials owned by an instance owner or admin + +Due to the additional permissions that instance owners and admins have, it would be possible to update credentials owned by another user with a secrets expression. Whilst this will preview correctly for an instance owner or admin, the secret will not resolve when the workflow is run in production. + +Therefore, it's important that external secrets are only used on credentials that are owned by an instance admin or owner to ensure they are resolved when a production execution occurs. diff --git a/docs/user-management/account-types.md b/docs/user-management/account-types.md index e5488b90c..53d4e4c20 100644 --- a/docs/user-management/account-types.md +++ b/docs/user-management/account-types.md @@ -16,7 +16,7 @@ To use admin accounts, you need a pro or enterprise plan. * Add and remove users, including admin users * Upgrade members to admin, and downgrade admins to member * See and share all workflows - * See and share all credentials (but not see the sensitive information) + * See, edit and share all credentials (but not see the sensitive information) * Delete tags * Set up and use [Source control](/source-control-environments/) * Admin: elevated permissions within the app. From 255e952e3c53aa1ba2034b09d34ce39c1ee7bb41 Mon Sep 17 00:00:00 2001 From: Deborah Date: Mon, 4 Mar 2024 08:32:30 +0000 Subject: [PATCH 2/3] Apply suggestions from code review --- docs/external-secrets.md | 6 +++--- docs/user-management/account-types.md | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/external-secrets.md b/docs/external-secrets.md index c37645233..fa0a596f0 100644 --- a/docs/external-secrets.md +++ b/docs/external-secrets.md @@ -71,8 +71,8 @@ For example, you have two n8n instances, one for development and one for product Infisical version upgrades can introduce problems connecting to n8n. If your Infisical connection stops working, check if there was a recent version change. If so, report the issue to help@n8n.io. -### External secrets should only be set on credentials owned by an instance owner or admin +### Only set external secrets on credentials owned by an instance owner or admin -Due to the additional permissions that instance owners and admins have, it would be possible to update credentials owned by another user with a secrets expression. Whilst this will preview correctly for an instance owner or admin, the secret will not resolve when the workflow is run in production. +Due to the additional permissions that instance owners and admins have, it is possible for owners and admins to update credentials owned by another user with a secrets expression. This will preview correctly for an instance owner or admin, but the secret will not resolve when the workflow is run in production. -Therefore, it's important that external secrets are only used on credentials that are owned by an instance admin or owner to ensure they are resolved when a production execution occurs. +Only use external secrets for credentials that are owned by an instance admin or owner. This ensures they resolve correctly in production. diff --git a/docs/user-management/account-types.md b/docs/user-management/account-types.md index 53d4e4c20..649a3e9fb 100644 --- a/docs/user-management/account-types.md +++ b/docs/user-management/account-types.md @@ -16,7 +16,7 @@ To use admin accounts, you need a pro or enterprise plan. * Add and remove users, including admin users * Upgrade members to admin, and downgrade admins to member * See and share all workflows - * See, edit and share all credentials (but not see the sensitive information) + * See, edit, and share all credentials (but not see the sensitive information) * Delete tags * Set up and use [Source control](/source-control-environments/) * Admin: elevated permissions within the app. From 04815dda5f5f86308eab4c18da1ef7c9f985ae71 Mon Sep 17 00:00:00 2001 From: Deborah Date: Mon, 4 Mar 2024 08:50:00 +0000 Subject: [PATCH 3/3] Update docs/external-secrets.md --- docs/external-secrets.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/external-secrets.md b/docs/external-secrets.md index fa0a596f0..477eeaf07 100644 --- a/docs/external-secrets.md +++ b/docs/external-secrets.md @@ -73,6 +73,6 @@ Infisical version upgrades can introduce problems connecting to n8n. If your Inf ### Only set external secrets on credentials owned by an instance owner or admin -Due to the additional permissions that instance owners and admins have, it is possible for owners and admins to update credentials owned by another user with a secrets expression. This will preview correctly for an instance owner or admin, but the secret will not resolve when the workflow is run in production. +Due to the permissions that instance owners and admins have, it's possible for owners and admins to update credentials owned by another user with a secrets expression. This will appear to work in preview for an instance owner or admin, but the secret won't resolve when the workflow runs in production. Only use external secrets for credentials that are owned by an instance admin or owner. This ensures they resolve correctly in production.