>>> [!note] Migrated issue <!-- Drupal.org comment --> <!-- Migrated from issue #3559845. --> Reported by: [mxr576](https://www.drupal.org/user/315522) Related to !23 >>> <h3 id="summary-problem-motivation">Problem/Motivation</h3> <p> In the current version of the amazee.ai AI Provider module, environment-specific information and credentials (for both Amazee AI and the associated vector database) are stored in configuration entities, including <code>ai_provider_amazeeio.settings</code>, <code>key.key.amazeeio_ai</code>, and <code>key.key.amazeeio_ai_database</code>.<br> This is problematic because configuration is stored in the active database by default and is typically exported and imported across environments, which can both leak credentials through database dumps and configuration exports and unexpectedly rewire a Drupal site to another environment's LLM or vector database when databases or configs are copied (for example, on Lagoon). </p> <p> These issues are part of the broader credential storage concerns coordinated under <span class="drupalorg-gitlab-issue-link drupalorg-gitlab-link-wrapper"><a href="https://git.drupalcode.org/project/ai_provider_amazeeio/-/work_items/3559854" class="drupalorg-gitlab-link">https://git.drupalcode.org/project/ai_provider_amazeeio/-/work_items/3559854</a></span>, but a small, targeted change can immediately reduce risk and prevent accidental cross-environment connections while a longer term strategy is designed in the meta issue above. </p> <h4 id="summary-steps-reproduce">Steps to reproduce</h4> <ol> <li>Install <code>ai_provider_amazeeio</code> and configure Amazee AI and vector database credentials via the settings UI.</li> <li>Export configuration and inspect the exported files to see that credentials and environment-specific connection details are part of the exported config.</li> <li>Copy the database or configuration between environments (for example, using Lagoon UI) and observe that the target environment may now connect to the wrong LLM/vector database using credentials from the source environment.</li> </ol> <h3 id="summary-proposed-resolution">Proposed resolution</h3> <p> Add a soft or hard dependency on the Config Ignore module and implement <code>hook_config_ignore_ignored_alter()</code> in <code>ai_provider_amazeeio</code> to ensure that specific configuration keys storing environment-specific information and credentials are excluded from configuration export and import.<br> This will help keep secrets and environment bindings out of configuration synchronization for these keys, but it DOES NOT prevent issues related to database cloning or credentials that still reside in database dumps. </p> <h3 id="summary-remaining-tasks">Remaining tasks</h3> <ul> <li>Decide whether <code>config_ignore</code> should be a hard dependency, soft dependency, or only recommended dependency.</li> <li>Implement <code>hook_config_ignore_ignored_alter()</code> and add tests that verify the targeted keys are ignored.</li> <li>Update project documentation to describe how and why these configuration keys are ignored, including notes for environments like Lagoon where database copies are common, and explicitly state that this approach does not mitigate risks from leaked database dumps.</li> </ul> <h3 id="summary-ui-changes">User interface changes</h3> <p>None.</p> <h3 id="summary-api-changes">API changes</h3> <p>None.</p> <h3 id="summary-data-model-changes">Data model changes</h3> <p>None.</p> > Related issue: [Issue #3559854](https://www.drupal.org/node/3559854) > Related issue: [Issue #3559849](https://www.drupal.org/node/3559849)