Environment Variables and Protecting Exposure to Limited Access Developers?

Eddy Martinez

Hello All, did some searchign but not finding this specific use case:

Is there a way to restrict access to environment variables so that a function can not expose them, but still be used in the API?

If I rely on RBAC (Enterprise) to manage team members, they can still see envirnment variables which is a problem in our use case.

Are there any recommendations, best practices I can employ to enhance our security in this regard?

Ray Deck

Xano has no RBAC - everyone's a root user, and that creates this security challenge.

I've seen this situation handled by putting the secrets in a different account - another Xano, AWS secrets manager, etc - and having them fetched at runtime. The trick is that the key to get to the secrets manager must itself be stored in your system, so eventually someone with root access (e.g. any developer on your Xano system) could get to the secret with a little bit of work.

One can mitigate this risk through a key rotation process in which that access key is itself changed on some frequent basis, so that if they did get access, it would only be for a short while.

This security management issue is the kind of thing we work on at State Change Pro You're a member, so I'm glad to get into this question with you more deeply over there.