How to keep credentials out of the cloud?

Our team is currently using Postman locally with each developer having their own local scratchpad. We share a common environment by each developer importing a common JSON file for the environment. The environment holds shared credentials, that each developer can use, with the initial value of user names and passwords being stored.

Now that we are migrating our scratchpads into the cloud workspaces, there doesn’t seem to be a way that we can keep the credentials out of the cloud, to comply with our corporate security policies, while still being able to share them among team members. I understand that if we remove the initial value from the variable and only use the current value, then the initial value isn’t stored in the cloud, but then neither can we share the common credentials in the current value amongst the team, as the current value is not saved in the exported JSON file.

What I would ideally like is that environments are kept local in their entirety, and not stored in the cloud at all, while the collections of API requests are in the cloud workspace.

Is there any way around this?

1 Like

The initial values are synched to the Postman Cloud, it’s the current values that aren’t.

Stick the confidential stuff in a secure repository like Azure Keyvault.

Each team member will then have to copy and paste into the current value when needed during development or initial testing.

Hopefully, your collections will be run using a CI tool (like Jenkins or Azure Pipelines).

You can save the environment.json that contains all of the secret variables for a project as a single entry in your Keyvault, and then use that in the job pipeline. Specifically in the element that calls the Newman command line.

As these are confidential, you don’t store them in your code repository.

Therefore you copy and paste when developing and setting up the initial tests, and you send the environment using the Newman command line options when they are production ready.

Thanks, that’s what I was afraid of - everyone having to copy & paste the current values. It’s a bit clunky. Rather than the current values being stored in browser storage, I’d prefer to see the current values stored in a file, which isn’t synched to the cloud, and which can be put under source code control.

These “secrets” shouldn’t really be in your source control.

It is not recommended to store these alongside your code.

They should be in a secure vault or something similar.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.

With V11 of Postman, we have introduced the Postman Vault (Store secrets in your Postman Vault | Postman Learning Center), which allows you to store your sensitive data in an encrypted local vault that is not synced with the Postman Cloud.

Also, we have added multiple security features to help prevent accidental exposure of your API credentials.