feat: pass secrets to agent via Manifest

evgeniy-scherbina · evgeniy-scherbina · commit 27de2ce76c39 · 2025-07-23T20:55:49.000Z
diff --git a/agent/agent.go b/agent/agent.go
@@ -1410,6 +1410,10 @@ func (a *agent) updateCommandEnv(current []string) (updated []string, err error)
 	}
 	envs["PATH"] = fmt.Sprintf("%s%c%s", a.scriptRunner.ScriptBinDir(), filepath.ListSeparator, envs["PATH"])
 
+	for _, secret := range manifest.UserSecrets {
+		envs[secret.EnvName] = secret.Value
+	}
+
 	for k, v := range envs {
 		updated = append(updated, fmt.Sprintf("%s=%s", k, v))
 	}
diff --git a/agent/proto/agent.pb.go b/agent/proto/agent.pb.go
diff --git a/agent/proto/agent.proto b/agent/proto/agent.proto
@@ -99,13 +99,14 @@ message Manifest {
 	repeated WorkspaceAgentMetadata.Description metadata = 12;
 	repeated WorkspaceAgentDevcontainer devcontainers = 17;
 
-  map<string,Secret> user_secrets = 19;
+  repeated Secret user_secrets = 19;
 }
 
 message Secret {
   string name = 1;
   string env_name = 2;
   string file_path = 3;
+  string value = 4;
 }
 
 message WorkspaceAgentDevcontainer {
diff --git a/coderd/agentapi/manifest.go b/coderd/agentapi/manifest.go
@@ -97,6 +97,8 @@ func (a *ManifestAPI) GetManifest(ctx context.Context, _ *agentproto.GetManifest
 		return nil, xerrors.Errorf("fetching workspace agent data: %w", err)
 	}
 
+	_ = userSecrets
+
 	appSlug := appurl.ApplicationURL{
 		AppSlugOrPort: "{{port}}",
 		AgentName:     workspaceAgent.Name,
@@ -153,13 +155,14 @@ func (a *ManifestAPI) GetManifest(ctx context.Context, _ *agentproto.GetManifest
 	}, nil
 }
 
-func dbUserSecretsToProto(userSecrets []database.UserSecret) map[string]*agentproto.Secret {
-	userSecretsProto := make(map[string]*agentproto.Secret)
-	for _, userSecret := range userSecrets {
-		userSecretsProto[userSecret.Name] = &agentproto.Secret{
+func dbUserSecretsToProto(userSecrets []database.UserSecret) []*agentproto.Secret {
+	userSecretsProto := make([]*agentproto.Secret, 0)
+	for i, userSecret := range userSecrets {
+		userSecretsProto[i] = &agentproto.Secret{
 			Name:     userSecret.Name,
 			EnvName:  userSecret.EnvName,
 			FilePath: userSecret.FilePath,
+			Value:    userSecret.Value,
 		}
 	}
 
diff --git a/codersdk/agentsdk/agentsdk.go b/codersdk/agentsdk/agentsdk.go
@@ -114,6 +114,7 @@ type Manifest struct {
 	Metadata                 []codersdk.WorkspaceAgentMetadataDescription `json:"metadata"`
 	Scripts                  []codersdk.WorkspaceAgentScript              `json:"scripts"`
 	Devcontainers            []codersdk.WorkspaceAgentDevcontainer        `json:"devcontainers"`
+	UserSecrets              []codersdk.UserSecretWithValue               `json:"user_secrets"`
 }
 
 type LogSource struct {
diff --git a/codersdk/agentsdk/convert.go b/codersdk/agentsdk/convert.go
@@ -43,6 +43,11 @@ func ManifestFromProto(manifest *proto.Manifest) (Manifest, error) {
 	if err != nil {
 		return Manifest{}, xerrors.Errorf("error converting workspace agent devcontainers: %w", err)
 	}
+	userSecrets, err := SecretsFromProto(manifest.UserSecrets)
+	if err != nil {
+		return Manifest{}, xerrors.Errorf("error converting workspace agent devcontainers: %w", err)
+	}
+
 	return Manifest{
 		ParentID:                 parentID,
 		AgentID:                  agentID,
@@ -62,6 +67,7 @@ func ManifestFromProto(manifest *proto.Manifest) (Manifest, error) {
 		DisableDirectConnections: manifest.DisableDirectConnections,
 		Metadata:                 MetadataDescriptionsFromProto(manifest.Metadata),
 		Devcontainers:            devcontainers,
+		UserSecrets:              userSecrets,
 	}, nil
 }
 
@@ -449,3 +455,24 @@ func ProtoFromDevcontainer(dc codersdk.WorkspaceAgentDevcontainer) *proto.Worksp
 		ConfigPath:      dc.ConfigPath,
 	}
 }
+
+func SecretsFromProto(pss []*proto.Secret) ([]codersdk.UserSecretWithValue, error) {
+	ret := make([]codersdk.UserSecretWithValue, len(pss))
+	for i, ps := range pss {
+		secret, err := SecretFromProto(ps)
+		if err != nil {
+			return nil, xerrors.Errorf("parse secret %v: %w", i, err)
+		}
+		ret[i] = secret
+	}
+	return ret, nil
+}
+
+func SecretFromProto(ps *proto.Secret) (codersdk.UserSecretWithValue, error) {
+	return codersdk.UserSecretWithValue{
+		Name:     ps.Name,
+		EnvName:  ps.EnvName,
+		FilePath: ps.FilePath,
+		Value:    ps.Value,
+	}, nil
+}
diff --git a/codersdk/user_secrets.go b/codersdk/user_secrets.go
@@ -41,6 +41,18 @@ type UserSecret struct {
 	UpdatedAt   time.Time `json:"updated_at" format:"date-time"`
 }
 
+type UserSecretWithValue struct {
+	ID          uuid.UUID `json:"id" format:"uuid"`
+	UserID      uuid.UUID `json:"user_id" format:"uuid"`
+	Name        string    `json:"name"`
+	Description string    `json:"description,omitempty"`
+	EnvName     string    `json:"env_name,omitempty"`
+	FilePath    string    `json:"file_path,omitempty"`
+	Value       string    `json:"value"`
+	CreatedAt   time.Time `json:"created_at" format:"date-time"`
+	UpdatedAt   time.Time `json:"updated_at" format:"date-time"`
+}
+
 type UserSecretValue struct {
 	Value string `json:"value"`
 }
diff --git a/site/src/api/typesGenerated.ts b/site/src/api/typesGenerated.ts

Original file line number	Diff line number	Diff line change
`@@ -1410,6 +1410,10 @@ func (a *agent) updateCommandEnv(current []string) (updated []string, err error)`
`1410`	`1410`	`}`
`1411`	`1411`	`envs["PATH"] = fmt.Sprintf("%s%c%s", a.scriptRunner.ScriptBinDir(), filepath.ListSeparator, envs["PATH"])`
`1412`	`1412`
	`1413`	`+ for _, secret := range manifest.UserSecrets {`
	`1414`	`+ envs[secret.EnvName] = secret.Value`
	`1415`	`+ }`
	`1416`	`+`
`1413`	`1417`	`for k, v := range envs {`
`1414`	`1418`	`updated = append(updated, fmt.Sprintf("%s=%s", k, v))`
`1415`	`1419`	`}`
Original file line number	Diff line number	Diff line change
`@@ -99,13 +99,14 @@ message Manifest {`
`99`	`99`	`repeated WorkspaceAgentMetadata.Description metadata = 12;`
`100`	`100`	`repeated WorkspaceAgentDevcontainer devcontainers = 17;`
`101`	`101`
`102`		`- map<string,Secret> user_secrets = 19;`
	`102`	`+ repeated Secret user_secrets = 19;`
`103`	`103`	`}`
`104`	`104`
`105`	`105`	`message Secret {`
`106`	`106`	`string name = 1;`
`107`	`107`	`string env_name = 2;`
`108`	`108`	`string file_path = 3;`
	`109`	`+ string value = 4;`
`109`	`110`	`}`
`110`	`111`
`111`	`112`	`message WorkspaceAgentDevcontainer {`
Original file line number	Diff line number	Diff line change
`@@ -97,6 +97,8 @@ func (a ManifestAPI) GetManifest(ctx context.Context, _ agentproto.GetManifest`
`97`	`97`	`return nil, xerrors.Errorf("fetching workspace agent data: %w", err)`
`98`	`98`	`}`
`99`	`99`
	`100`	`+ _ = userSecrets`
	`101`	`+`
`100`	`102`	`appSlug := appurl.ApplicationURL{`
`101`	`103`	`AppSlugOrPort: "{{port}}",`
`102`	`104`	`AgentName: workspaceAgent.Name,`
`@@ -153,13 +155,14 @@ func (a ManifestAPI) GetManifest(ctx context.Context, _ agentproto.GetManifest`
`153`	`155`	`}, nil`
`154`	`156`	`}`
`155`	`157`
`156`		`-func dbUserSecretsToProto(userSecrets []database.UserSecret) map[string]*agentproto.Secret {`
`157`		`- userSecretsProto := make(map[string]*agentproto.Secret)`
`158`		`- for _, userSecret := range userSecrets {`
`159`		`- userSecretsProto[userSecret.Name] = &agentproto.Secret{`
	`158`	`+func dbUserSecretsToProto(userSecrets []database.UserSecret) []*agentproto.Secret {`
	`159`	`+ userSecretsProto := make([]*agentproto.Secret, 0)`
	`160`	`+ for i, userSecret := range userSecrets {`
	`161`	`+ userSecretsProto[i] = &agentproto.Secret{`
`160`	`162`	`Name: userSecret.Name,`
`161`	`163`	`EnvName: userSecret.EnvName,`
`162`	`164`	`FilePath: userSecret.FilePath,`
	`165`	`+ Value: userSecret.Value,`
`163`	`166`	`}`
`164`	`167`	`}`
`165`	`168`
Original file line number	Diff line number	Diff line change
`@@ -114,6 +114,7 @@ type Manifest struct {`
`114`	`114`	Metadata []codersdk.WorkspaceAgentMetadataDescription `json:"metadata"`
`115`	`115`	Scripts []codersdk.WorkspaceAgentScript `json:"scripts"`
`116`	`116`	Devcontainers []codersdk.WorkspaceAgentDevcontainer `json:"devcontainers"`
	`117`	+ UserSecrets []codersdk.UserSecretWithValue `json:"user_secrets"`
`117`	`118`	`}`
`118`	`119`
`119`	`120`	`type LogSource struct {`