Authentication overview

Authentication in MicroENV is designed to secure access to environment variables and secrets across various development and deployment environments. It ensures that only authorized users, applications, or services can retrieve, modify, or manage sensitive configuration data stored within MicroENV projects. The system supports different authentication mechanisms tailored for programmatic access, command-line usage, and human interaction via the MicroENV Cloud Dashboard. This multi-faceted approach aims to maintain a high level of security while facilitating integration into existing development workflows and CI/CD pipelines, aligning with principles of least privilege and secure credential management.

MicroENV's authentication infrastructure is built to protect sensitive data by verifying the identity of any entity attempting to interact with the platform. This includes restricting access to project settings, environment variables, and audit logs. The platform's security model is detailed in the official MicroENV security documentation, which outlines how data is encrypted in transit and at rest, and how access controls are enforced.

Supported authentication methods

MicroENV supports several authentication methods, each suited for different use cases and security requirements. The choice of method typically depends on whether the access is programmatic, interactive, or for automated systems like CI/CD runners.

Method When to Use Security Level
API Keys Programmatic access, server-to-server communication, CI/CD pipelines, integrations with other services. High (if managed securely); requires careful handling to prevent exposure.
CLI Tokens Interactive command-line operations, local development, scripted tasks on developer workstations. High (if managed securely); typically short-lived or tied to user sessions.
Email/Password (Dashboard) Human interaction with the MicroENV Cloud Dashboard for managing projects, users, and settings. Standard (enhanced by MFA if enabled); for web-based GUI access.
OAuth/SSO (Dashboard) Enterprise environments requiring single sign-on through providers like Google, GitHub, or custom SAML. Very High; leverages established identity providers and enterprise security policies.

API keys are long-lived tokens that grant specific permissions to access MicroENV resources. They are generated within the MicroENV Cloud Dashboard and should be treated as sensitive credentials. CLI tokens, on the other hand, are often shorter-lived and typically associated with a logged-in user session, providing authenticated access for command-line interactions. For dashboard access, users can authenticate directly with an email and password, or leverage OAuth/SSO integrations for enhanced security and streamlined access management, as described in the MicroENV access management guide.

Getting your credentials

To interact with MicroENV programmatically or via the CLI, you will need to obtain the appropriate credentials. The process primarily involves using the MicroENV Cloud Dashboard.

API Keys

  1. Log in to the MicroENV Cloud Dashboard: Access the dashboard at microenv.com using your registered email and password or an SSO provider.
  2. Navigate to Project Settings: Select the project for which you need an API key. Each project can have its own set of API keys with specific permissions.
  3. Generate a New API Key: Within the project settings, locate the 'API Keys' or 'Integrations' section. Click on 'Generate New API Key'.
  4. Configure Permissions: Assign appropriate read/write permissions to the API key based on the principle of least privilege. For example, a CI/CD pipeline might only need read access to specific environments.
  5. Copy and Store Securely: Once generated, the API key will be displayed. Copy it immediately, as it may not be retrievable again for security reasons. Store this key in a secure location, such as an environment variable in your CI/CD system or a secrets manager. Avoid hardcoding API keys directly into your source code.

CLI Tokens

  1. Install the MicroENV CLI: If you haven't already, install the MicroENV CLI tool on your local machine or CI/CD runner. Instructions are available in the MicroENV CLI installation guide.
  2. Log in via CLI: Open your terminal and run the command: microenv login.
  3. Follow On-Screen Prompts: The CLI will prompt you to open a browser window to authenticate with your MicroENV account (email/password or SSO). Upon successful authentication, a CLI token will be securely stored on your local machine, typically in a configuration file. This token is used automatically by subsequent microenv commands until it expires or you log out.

For automated systems, consider using dedicated service accounts or roles in your CI/CD platform to manage and inject API keys securely, rather than relying on interactive CLI logins.

Authenticated request example

Once you have obtained an API key, you can use it to make authenticated requests to the MicroENV API. The primary method for authenticating API requests is by including the API key in the Authorization header.

Here's an example of how to retrieve environment variables for a specific project and environment using curl and an API key:

curl -X GET \
  "https://api.microenv.com/v1/projects/{project_id}/environments/{environment_name}/variables" \
  -H "Authorization: Bearer YOUR_MICROENV_API_KEY" \
  -H "Content-Type: application/json"

Replace {project_id} with the actual ID of your MicroENV project, {environment_name} with the name of the environment (e.g., development, production), and YOUR_MICROENV_API_KEY with your generated API key. The API key should be prefixed with Bearer as part of the OAuth 2.0 Bearer Token usage specification.

For CLI operations, once you've logged in using microenv login, subsequent commands automatically use the stored CLI token. For example, to fetch variables for a project:

microenv variables get --project-id {project_id} --environment {environment_name}

The CLI handles the authentication details transparently after initial login, making it convenient for developers. For more detailed API usage, refer to the MicroENV API reference documentation.

Security best practices

Securing your MicroENV credentials and access is crucial for protecting your sensitive environment variables. Adhering to these best practices can mitigate common security risks:

  1. Principle of Least Privilege: Grant API keys and user accounts only the minimum necessary permissions. For example, a CI/CD pipeline fetching secrets for deployment should only have read access to the relevant environment, not write access or access to other projects.
  2. Secure Storage of API Keys: Never hardcode API keys directly into your application's source code. Instead, use secure methods like environment variables, secrets managers (e.g., AWS Secrets Manager, Azure Key Vault, Google Secret Manager), or dedicated secret injection mechanisms provided by your CI/CD platform (e.g., AWS Secrets Manager).
  3. Rotate Credentials Regularly: Implement a policy for regular rotation of API keys and other long-lived credentials. This limits the window of exposure if a key is compromised. While MicroENV does not enforce automatic rotation, it is a recommended operational practice.
  4. Enable Multi-Factor Authentication (MFA): For all human users accessing the MicroENV Cloud Dashboard, enable MFA. This adds an extra layer of security by requiring a second verification factor beyond just a password.
  5. Monitor Audit Logs: Regularly review MicroENV's audit logs to detect any suspicious or unauthorized access attempts or changes to environment variables. These logs provide a record of who accessed what and when.
  6. Network Restrictions (if available): If your infrastructure supports it, consider restricting access to MicroENV's API endpoints from specific IP addresses or networks. While MicroENV's public API is globally accessible, you can implement network-level controls on your side to limit where your applications can originate requests.
  7. Avoid Sharing Credentials: Each developer and service should have their own unique credentials. Sharing credentials makes it difficult to track activity and revoke access selectively.
  8. Use Short-Lived Tokens for CI/CD: Where possible, opt for authentication mechanisms that provide short-lived, ephemeral tokens for automated systems. While MicroENV API keys are generally long-lived, integrating with identity providers that issue temporary credentials can enhance security.
  9. Secure Local Development Environments: Ensure that CLI tokens and other local credentials are not exposed. Use secure file permissions and avoid committing configuration files containing tokens to version control.

By diligently applying these practices, organizations can significantly enhance the security posture of their environment variable management within MicroENV.