Make it possible for k6 to handle secret information

[oleiade]

Feature Description

The Problem

There's currently a need for a more secure way to handle sensitive data, such as credentials, within k6.

As a user, I want to safely load and use credentials in k6 without exposing them to potential security risks, such as storing them in plaintext files or the operating system's environment variables.

The Reason

Users often request enhanced authentication methods when using the k6-jslib-aws. Currently, AWS credentials can only be hardcoded into the script or loaded from the environment. In both scenarios, the credentials might end up in plaintext within k6's archive, which poses a serious security risk.

Suggested Solution (optional)

Preventing storing environment variables in the archive

#2587

k6 Vault

⚠️ Please note this is a preliminary concept, which doesn't stand as a "proposal" and requires further research and discussion. ⚠️

I've been pondering the idea of a "k6 vault," similar to secret management tools used in deployment technologies like Ansible. The main idea is to provide a secure, encrypted location for storing secrets used in k6 scripts.

Users could create, edit, or display a vault file (in any format, like toml/yaml/json/ini) through a specific command. A passphrase would be required to ensure that secrets are stored securely in an encrypted file. During script execution, a vault module (or possibly a magic variable like __VAULT) could provide access to these secrets.

Here's a basic concept of command usage:

# Create vault with a passphrase
$ k6 vault create --passphrase 'BonjourLeMonde'

# Display vault file
$ ls -la .k6vault

# Unlock vault for editing
$ k6 vault unlock --passphrase

# Lock vault after editing
$ k6 vault lock --passphrase

# 'k6 run' command unlocks the vault when the 'vault' module is used. 
# The passphrase can be retrieved from the environment, a file, or other sources (in a cloud or CI environment, for example).
# If an unlocked vault is found, an error could be raised?
$ k6 run 

Already existing or connected issues / PRs (optional)

• Load credentials from credentials file? k6-jslib-aws#22
• Preventing storing environment variables' values in archive #2587
• https://community.k6.io/t/use-k6-on-aws-ec2-with-instance-role/5147/3
• xk6-webcrypto would make the encryption/decryption layer of whatever we end up building rather easy to work with.

[imiric]

I think this would be wildly out of scope for what k6 does and should do, but it could work as an extension if someone is interested. This might make sense for Ansible, as a configuration management tool that deals with hosts and sensitive information, but is there a precedent for this in a load testing / observability tool?

Secret management is a solved problem using external tools, and as far as k6 is concerned, any secrets a k6 script needs access to can be part of the environment. The security concern of sensitive information ending up in the archive is a problem with the way k6 handles environment variables, as detailed in #2744. In any case, a solution to this doesn't have to involve k6 also becoming a secret management tool.