automation rscadmin configure --encrypt-config-value is not usable

pst-cnt-adh-drwn · February 10, 2023, 12:02pm

when doing a rscadmin configure --encrypt-config-value, the result shows all kind of log messages which makes it unusable to place in a variable etc and use for automated deployment scenarios. As we do a dully IaC CICD of posit connect, this should be possbile.
e.g.:

echo test | sudo /opt/rstudio-connect/bin/rscadmin configure --encrypt-config-value 2> /dev/null
time="2023-02-10T11:36:20.334Z" level=info msg="Checking to make sure Connect isn't running..."
time="2023-02-10T11:36:20.335Z" level=info msg="Success. Connect does not appear to be running."
time="2023-02-10T11:36:20.430Z" level=info msg="Loaded server migration from '/etc/rstudio-connect/rstudio-connect-migration.gcfg'"
time="2023-02-10T11:36:20.432Z" level=info msg="The migration file does not affect the configuration"
time="2023-02-10T11:36:20.432Z" level=info msg="Found 0 environment variables starting with 'CONNECT_' that may affect configuration.\n"
time="2023-02-10T11:36:20.432Z" level=info msg="Using file /var/log/rstudio/rstudio-connect/rstudio-connect.log to store Server Logs."
OFaXNRL8KR0srMLw8OBsE.......=

so the answer in How to automate /opt/rstudio-connect/bin/rscadmin configure --encrypt-config-value is not working.

How could this be made usable?
kind regards,
pst-cnt-adh-drwn

kellobri · February 13, 2023, 5:50pm

Hi @pst-cnt-adh-drwn

Is GitHub - rstudio/rskey: Standalone encryption and secret key management for RStudio's Connect and Package Manager more what you're looking for in this scenario?

jwimberley · April 4, 2023, 8:07pm

I am unable to use rscadmin for a similar reason -- I get many lines of output that eventually ask me to shut down my running Rstudio Connect instance, which I would like to avoid. The rskey README says that it is a drop-in replacement for rscadmin configure --encrypt-config-value, but it has a required keyfile argument. When I use the SSL key that is the value of Key in my /etc/rstudio-connect/rstudio-connect.gcfg file, I get an error, probably because it is the wrong type of key. What keyfile should I supply to guarantee output that can be decrypted interoperably (i.e. an SMTP password for configuring RSC's email settings)?

rstub · April 5, 2023, 9:06am

The key file expected by rskey is not the SSL key. Instead it is a Connect internal encryption key which is created in DataBase.Dir and named secret.key. If you have not changed the default values, you could use

rskey encrypt -f /var/lib/rstudio-connect/db/secret.key

pst-cnt-adh-drwn · April 5, 2023, 9:21am

Dear @rstub the infromation on github states:
It can be used to help manage secrets without the need to install these products first, and is designed for use in Infrastructure-as-Code and containerised deployments of these products.

So how does it work than?

pst-cnt-adh-drwn · April 5, 2023, 9:31am

Hi @kellobri,
Sorry for the late reply.
This isn't a solution imho. It should be available in the product itself and no other installs should be necessary.

If this is developped by Posit, why isn't it in the products itself? When can we expect it to be incroporated?

Thanks.

rstub · April 6, 2023, 8:52am

The rskey utility can be used for multiple purposes:

Creating a compatible secret key
Encrypting data with an existing secret key
Decrypting data with an existing secret key

Connect will automatically create a secret key upon first startup, so you don't need the first feature. But you can still use the second and third feature by specifying the already existing secret key.