[25.1] Support credentials(secrets/variables) in tool requirements

[arash77]

Related to #19196
Closes #17511

Summary

This PR implements a comprehensive tool credentials system for Galaxy, allowing tools to securely access external services by defining authentication credentials (variables and secrets) in tool requirements. The system provides secure credential management while keeping sensitive information separate from tool definitions.
Youtube Video
Blog Post in Galaxy Hub
Galaxy Tool XML Schema
Valut Documentations on Credentials

Key Features

🔐 Credential Definition in Tools

• Tools can define credential requirements using <credentials> elements within <requirements>
• Support for both variables (non-sensitive config like URLs, usernames) and secrets (sensitive data like passwords, API keys)
• Optional/required credential validation
• Environment variable injection into tool execution context

🗃️ Secure Storage & Management

• Integration with Galaxy's vault system for secure secret storage
• User-specific credential isolation by tool and service
• Credential groups for organizing multiple credential sets
• Database schema with proper foreign key relationships and constraints

🌐 REST API

• Complete CRUD operations for credential management
• User credential listing with optional definition inclusion
• Group-based credential organization
• Secure deletion with vault cleanup

🎨 Frontend Integration

• Unified credential management UI for every tool
• Workflow-level credential status display
• Multi-tool credential coordination
• Real-time credential validation and feedback

⚙️ Tool Execution Integration

• Automatic credential injection as environment variables
• Job context tracking for credential usage
• Support for tool proxies and various tool types
• Backward compatibility with existing tools

Tool Definition Example

<requirements>
    <credentials name="aws_s3" version="1.0" label="AWS S3 Access" description="Credentials for accessing AWS S3 buckets">
        <variable name="region" inject_as_env="AWS_REGION" optional="false" label="AWS Region" description="The AWS region where your S3 bucket is located" />
        <secret name="access_key" inject_as_env="AWS_ACCESS_KEY_ID" optional="false" label="Access Key ID" description="Your AWS access key ID" />
        <secret name="secret_key" inject_as_env="AWS_SECRET_ACCESS_KEY" optional="false" label="Secret Access Key" description="Your AWS secret access key" />
    </credentials>
</requirements>

Screenshots

Tool Run Form

Tool with required credentials, but the user does not have a selection. The Run Tool button is disabled.

Tool with required credentials, and the user has a selection for every service

Tool with optional credentials, but the user does not have a selection.

Tool with required credentials, and the user has a selection for every service.

Tool with required and optional credentials, and the user does not have a selection. The Run Tool button is disabled.

Tool with required and optional credentials, and the user only has a selection for the required credentials.

Manage & Select Credentials Groups Modal for Tool. User can create, select or delete a group.

Manage & Select Credentials Groups Modal for Tool

Workflow Run Form

Workflow Editor

Workflow Editor

Workflow simple run with required credentials, but the user does not have a selection. The Run Workflow button is disabled.

Workflow run form with required credentials, but the user does not have a selection. The Run Workflow button is disabled.

Workflow simple run with optional credentials, but the user does not have a selection.

Workflow simple run with optional credentials, but the user does not have a selection.

Manage & Select Credentials Groups Modal for Tools in Workflow. User can create, select or delete a group for each tool.

All User Credentials Management

Database Schema

erDiagram
    galaxy_user ||--o{ user_credentials : "owns"
    user_credentials ||--o{ credentials_group : "contains"
    user_credentials ||--o| credentials_group : "current_group"
    credentials_group ||--o{ credential : "stores"
    job ||--o{ job_credentials_context : "uses"
    user_credentials ||--o{ job_credentials_context : "references"
    credentials_group ||--o{ job_credentials_context : "selected_group"

    galaxy_user {
        int id PK
    }

    user_credentials {
        int id PK
        int user_id FK
        string source_type
        string source_id
        string source_version
        string name
        string version
        int current_group_id FK
        datetime create_time
        datetime update_time
    }

    credentials_group {
        int id PK
        int user_credentials_id FK
        string name
        datetime create_time
        datetime update_time
    }

    credential {
        int id PK
        int group_id FK
        string name
        boolean is_secret
        boolean is_set
        string value
        datetime create_time
        datetime update_time
    }

    job {
        int id PK
    }

    job_credentials_context {
        int id PK
        int job_id FK
        int user_credentials_id FK
        string service_name
        string service_version
        int selected_group_id FK
        string selected_group_name
    }

Loading

API Endpoints

• GET /api/users/{user_id}/credentials?source_type=tool&source_id={tool_id}&source_version={tool_version}&include_definition={true|false} - List user credentials
• POST /api/users/{user_id}/credentials - Provide credentials
• PUT /api/users/{user_id}/credentials - Update credential group selection
• PUT /api/users/{user_id}/credentials/{user_credentials_id}/groups/{group_id} - Update specific group
• DELETE /api/users/{user_id}/credentials/{user_credentials_id} - Delete service credentials
• DELETE /api/users/{user_id}/credentials/{user_credentials_id}/groups/{group_id} - Delete specific group

How to test the changes?

(Select all options that apply)

• I've included appropriate automated tests.
• This is a refactoring of components with existing test coverage.
• Instructions for manual testing are as follows:
  1. Create a tool with credentials (use the sample file test/functional/tools/secret_tool.xml)
     2a. Open the tool run form
     2b. Create a workflow using the tool and try to run it
  2. After creating a group for a tool, you can manage them in the User Preferences -> Credentials Management

License

• I agree to license these and all my past contributions to the core galaxy codebase under the MIT license.

[jmchilton]

Do any of the use cases involve multiple tools with different IDs requesting the same secret? If not - I would make the tool id (without a version) an implicit prefix here and just attach some similar field as the suffix. This isolation feels more secure-ish to me - we wouldn't risk tools picking up other keys accidentally.

[arash77]

Well, in some use cases, maybe in the future, it will be good to access an api_key or a token for multiple tools.

[yvanlebras]

Hi John, Arash, with @Marie59 and @jeremyfix we have such use case (if I well understand) where separate tools need the same credential (here this is Copernicus marine system credentials), so I confirm that this is already a reality ;) It appears to me, at least for ecology and related environmental sciences, that it will be the case for many data providers as Copernicus for satellites remote sensing data and others.

[nuwang]

Nice to see this feature coming in. One thing I was wondering about though, should this be a requirement or be injected through the <environment_variables> section following the precedent here?
#15300

[mvdbeek]

The selenium errors don't fail elsewhere, this does look to be related.

[ahmedhamidawan]

The target for this PR needs to be changed from dev to release_25.1.

Once this is merged, the database version will have to be updated again like #21017.

@guerler

[arash77]

Test Galaxy packages / Test (3.13) seems to be failing on other PRs too, so it’s not related to this PR.