credential_mask
8 sites
Security covered
Security lead
Whatever you do, don't let this API key get committed!
Developer
drush config:export
Developer
Uh-oh…
Description
Best practice is to export your configuration and commit it to your source-code repository.
Best practice is also to avoid committing API keys, secrets, etc.
The credential mask module integrates with the configuration management API and ensures that the configuration keys marked as "sensitive" are not exported, and when configuration is imported, the unmasked configuration is not overridden.
Operation
Sensitive items can be managed either:
- via Drush
- via /admin/config/development/configuration/credential_mask (for users with the "import configuration" permission
Drush Commands
- credential_mask:add
Mark a config key as sensitive. - credential_mask:del
Remove a config key from the list of masked credentials. - credential_mask:list
List all active configuration properties identified as sensitive. - credential_mask:show-configuration
Show the configuration names and properties currently marked as sensitive.
Version requirements
- Drupal core 8.8 or greater
- Drush 10 or greater.
Similar modules
Other modules in the configuration-management ecosystem, such as Config split and Config filter may provide similar behaviour, or tools to achieve a similar outcome.