Recommend using Nextflow secrets for sensitive credentials in configs

Signed-off-by: Phil Ewels <phil.ewels@seqera.io>

docs/amazons3.md

@@ -35,12 +35,16 @@ The AWS access and secret keys can be specified by using the `aws` section in th
 
 ```groovy
 aws {
-    accessKey = '<Your AWS access key>'
-    secretKey = '<Your AWS secret key>'
+    accessKey = secrets.MY_ACCESS_KEY
+    secretKey = secrets.MY_SECRET_KEY
     region = '<AWS region identifier>'
 }
 ```
 
+:::{tip}
+Use {ref}`secrets-page` to avoid hardcoding sensitive credentials in configuration files.
+:::
+
 If the access credentials are not found in the above file, Nextflow looks for AWS credentials in the following order:
 
 1. The `nextflow.config` file in the pipeline execution directory
@@ -65,9 +69,9 @@ Learn more about [Using IAM Roles to Delegate Permissions to Applications that R
 To use an AWS China region, make sure to specify the corresponding AWS API S3 endpoint in the Nextflow configuration file as shown below:
 
 ```groovy
-aws { 
+aws {
     client {
-        endpoint = "https://s3.cn-north-1.amazonaws.com.cn"        
+        endpoint = "https://s3.cn-north-1.amazonaws.com.cn"
     }
 }
 ```
@@ -76,22 +80,26 @@ Read more about AWS API endpoints in the [AWS documentation](https://docs.aws.am
 
 ## S3-compatible storage
 
-To use S3-compatible object storage such as [Ceph](https://ceph.io) or [Minio](https://min.io) specify the endpoint of 
-your storage provider and enable the [S3 path style access](https://docs.aws.amazon.com/AmazonS3/latest/userguide/VirtualHosting.html#path-style-access) 
+To use S3-compatible object storage such as [Ceph](https://ceph.io) or [Minio](https://min.io) specify the endpoint of
+your storage provider and enable the [S3 path style access](https://docs.aws.amazon.com/AmazonS3/latest/userguide/VirtualHosting.html#path-style-access)
 in your Nextflow configuration as shown below:
 
 
 ```groovy
 aws {
-    accessKey = '<Your access key>'
-    secretKey = '<Your secret key>'
+    accessKey = secrets.MY_ACCESS_KEY
+    secretKey = secrets.MY_SECRET_KEY
     client {
         endpoint = '<Your storage endpoint URL>'
         s3PathStyleAccess = true
     }
 }
 ```
 
+:::{tip}
+Use {ref}`secrets-page` to avoid hardcoding sensitive credentials in configuration files.
+:::
+
 ## Advanced configuration
 
 Read {ref}`AWS configuration<config-aws>` section to learn more about advanced S3 client configuration options.

docs/aws.md

@@ -35,6 +35,10 @@ The AWS region is selected from the following sources, in order of descending pr
 2. Environment variables - `AWS_REGION` or `AWS_DEFAULT_REGION`
 3. EC2 instance metadata (if Nextflow is running in an EC2 instance)
 
+:::{tip}
+Use {ref}`secrets-page` when using Nextflow configuration files to avoid hardcoding sensitive credentials.
+:::
+
 SSO credentials and instance profile credentials are the most recommended because they don't require you to manage and distribute AWS keys explicitly. SSO credentials are ideal for launching pipelines from outside of AWS (e.g. your laptop), while instance profile credentials are ideal for launching pipelines within AWS (e.g. an EC2 instance).
 
 ## AWS IAM policies

docs/azure.md

@@ -16,8 +16,8 @@ The Blob storage account name and key need to be provided in the Nextflow config
 ```groovy
 azure {
     storage {
-        accountName = "<YOUR BLOB ACCOUNT NAME>"
-        accountKey = "<YOUR BLOB ACCOUNT KEY>"
+        accountName = secrets.BLOB_ACCOUNT_NAME
+        accountKey = secrets.BLOB_ACCOUNT_KEY
     }
 }
 ```
@@ -32,6 +32,10 @@ When creating the Shared Access Token, make sure to allow the resource types `Co
 The value of `sasToken` is the token stripped by the character `?` from the beginning of the token.
 :::
 
+:::{tip}
+Use {ref}`secrets-page` to avoid hardcoding sensitive credentials in configuration files.
+:::
+
 Once the Blob Storage credentials are set, you can access the files in the blob container like local files by prepending the file path with `az://` followed by the container name. For example, a blob container named `my-data` with a file named `foo.txt` can be specified in your Nextflow script as `az://my-data/foo.txt`.
 
 ## Azure File Shares
@@ -47,8 +51,8 @@ For example:
 ```groovy
 azure {
     storage {
-        accountName = "<YOUR BLOB ACCOUNT NAME>"
-        accountKey = "<YOUR BLOB ACCOUNT KEY>"
+        accountName = secrets.BLOB_ACCOUNT_NAME
+        accountKey = secrets.BLOB_ACCOUNT_KEY
         fileShares {
             <YOUR SOURCE FILE SHARE NAME> {
                 mountPath = "<YOUR MOUNT DESTINATION>"
@@ -123,13 +127,13 @@ process {
 
 azure {
     storage {
-        accountName = "<YOUR STORAGE ACCOUNT NAME>"
-        accountKey = "<YOUR STORAGE ACCOUNT KEY>"
+        accountName = secrets.BLOB_ACCOUNT_NAME
+        accountKey = secrets.BLOB_ACCOUNT_KEY
     }
     batch {
         location = '<YOUR LOCATION>'
-        accountName = '<YOUR BATCH ACCOUNT NAME>'
-        accountKey = '<YOUR BATCH ACCOUNT KEY>'
+        accountName = secrets.BATCH_ACCOUNT_NAME
+        accountKey = secrets.BATCH_ACCOUNT_KEY
         autoPoolMode = true
     }
 }
@@ -454,11 +458,11 @@ azure {
     }
 
     storage {
-        accountName = '<YOUR STORAGE ACCOUNT NAME>'
+        accountName = secrets.STORAGE_ACCOUNT_NAME
     }
 
     batch {
-        accountName = '<YOUR BATCH ACCOUNT NAME>'
+        accountName = secrets.BATCH_ACCOUNT_NAME
         location = '<YOUR BATCH ACCOUNT LOCATION>'
     }
 }
@@ -484,11 +488,11 @@ azure {
     }
 
     storage {
-        accountName = '<YOUR STORAGE ACCOUNT NAME>'
+        accountName = secrets.STORAGE_ACCOUNT_NAME
     }
 
     batch {
-        accountName = '<YOUR BATCH ACCOUNT NAME>'
+        accountName = secrets.BATCH_ACCOUNT_NAME
         location = '<YOUR BATCH ACCOUNT LOCATION>'
     }
 }
@@ -514,11 +518,11 @@ azure {
     }
 
     storage {
-        accountName = '<YOUR STORAGE ACCOUNT NAME>'
+        accountName = secrets.STORAGE_ACCOUNT_NAME
     }
 
     batch {
-        accountName = '<YOUR BATCH ACCOUNT NAME>'
+        accountName = secrets.BATCH_ACCOUNT_NAME
         location = '<YOUR BATCH ACCOUNT LOCATION>'
     }
 }