Dragos as you noted when you create the action (or bind a package containing the action) you can specify the parameters for the action.
Then when the action is composed into the sequence it already has the parameters attached. Those parameters are not visible to other actions in the sequence (they do not escape the action without one doing it deliberately i.e. returning a json object containing the secrets from the action). If you're surfacing the sequence via the API gateway then you've hidden the parameters (I am taking it at face value that final actions have parameters that may not be overridden at invoke time). Does this fit your use case? -r > On Jan 19, 2017, at 12:02 PM, Dragos Dascalita Haut <[email protected]> wrote: > > I'd like to create an action that communicates with another API. The action > needs a client_id, a secret and/or a keyfile, and/or a private key pair. This > is a typical scenario to authenticate a service call; there's an example at > [1] describing what needs to be done for such a scenario. > > > Assumptions : > > 1. we can't store credentials with the code in Git > > 2. if the action becomes part of a sequence we might not want the other > actions in that sequence to have access to these credentials. we might want > to restrict the credentials to be visible only to the action that needs them. > > > There are 2 questions here: > > 1. How can developers associate such metadata (in the lack of a better term) > to the action. > > 2. How can the action retrieve this metadata. > > > I'm wondering if there are any thoughts on this already documented or if it's > a problem we're yet to solve. > > > Thanks, > dragos > [1] - https://developers.google.com/identity/protocols/OAuth2ServiceAccount
