We store passwords for our serviceusers as variables in our environments. Due to security guidelines in our company, we are not allowed to export any environments containing passwords to the Postman Workspace. We are however allowed to move collections, that take use of these variables, in to the Postman Workspace. Thats why we are trying to use the environments locally (scratch pad) and the collections in the Postman Workspace. Unfortunately we didn’t find a way to do that yet. Once you log in and take use of the Postman Workspaces, you won’t be able to access local collections/environments anymore.
Is anyone else also restricted by the company’s security guidelines to move passwords to the Postman Workspace? Is there a way to use both Workspace and Scratch Pad at the same time?
One of our key principles is no passwords in scripts.
The collections and environments are basically json (text) files, so the principle will apply here as well.
The collections are loaded into our code repository and they must not include passwords.
We aren’t using the Postman API (yet), but the principle would apply there as well.
Therefore those elements are included in the environment file as a variable that we pass during the CI pipeline.
In our personal circumstance, we are lucky enough to have Azure Key Vault, so passwords will be pulled form here as one of the first steps in the pipeline. (I haven’t actually done this yet, but its on my list of tasks for implementing).
Azure Key Vault has a REST API, so it can be included in a pre-req script and pulled in locally as well while you are initially developing you collection\requests.
If you don’t have Azure Key Vault, you could store the passwords on a secure share and pull it from here. I’ll try and dig out a link on how this works.
Actually the example I have is for PowerShell, not JavaScript.
I’ll see if I can find an example with JavaScript.
I’m lucky enough to have Key Vault, so this isn’t really an issue for me. You might want to consider proposing a similar tool for storing passwords securely. Ideally any tool you pick should have a REST interface so you can use it locally as well as in the CI pipelines.
Looking at the libraries that Postman supports. I suspect you should be able to do something with crypto-js
// Encrypt
var secret = CryptoJS.AES.encrypt('My Message or Password', 'My Secret Key').toString();
console.log("secret = " + secret);
// Decrypt
var bytes = CryptoJS.AES.decrypt(secret, 'My Secret Key');
console.log("bytes =" + bytes);
var originalText = bytes.toString(CryptoJS.enc.Utf8);
console.log("original text = " + originalText); // 'My Message or Password'
You can just set your pre-req script to retrieve the secret from a CSV file or similar data source. The CSV file should contain the variable name, the secret and the secret key.
This can be local, but ideally should be centrally (but outside of Postman or your code repository). That should keep your info sec bods happy.
You could probably write a bit of code that retrieves all of the environment variables that need to be retrieved from the file. (Just give the variable a prefix if the collection has other variables so you can filter out any other variables that you don’t need to get data for) and then import and parse the CSV file before retrieving the secret linked to that variable and storing it into the environment variable.
Or alternatively, you can do this via the collection runner.