In Matillion ETL, are the values set in Environment Variables accessible only from within the Matillion application?
Or is it also possible for the operating system—such as the EC2 instance running Matillion ETL—to access the values of these Environment Variables?
The intent behind this question is to assess the security implications. If API keys or other sensitive information are stored in the Environment Variables, and they are only accessible from within the Matillion ETL application, that would be acceptable. However, if an attacker were to gain unauthorized access to the underlying OS and could retrieve those values, it would pose a security risk.
Thanks for your post, Matillion ETL uses a Postgres datastore to provide persistent storage of the instance metadata. As the job/environment variables are part of the instance, these, together with their associated values, are stored here.
As such, if you can log into the Postgres database, run some SQL, and extract the values stored in the variables.
But - without access to the Postgres database, these are not available to the EC2 instance.
I hope that helps, please let me know if you need anymore information.
Thanks for your clarification earlier. I have a few follow-up questions regarding access control and authentication for the internal Postgres database used by Matillion ETL:
Authentication Method
What authentication method is used for logging into the Postgres database? (e.g., local user account, username/password, key file, etc.)
Connection Scope
Is the Postgres database accessible only from the local EC2 instance, or can it also be accessed remotely?
OS User Privileges
If someone has administrative privileges on the EC2 instance (e.g., root or matillion user), would they be able to directly access the Postgres database?