How do you manage secrets/credentials during runtime?
-
I am building a custom Node.js app that makes API requests to a third party application. Where can I store secrets/credentials (API key) I would need during runtime? I do not want to store this in the docker container even in a private repo.
-
Putting things
/app/datais the preferred approach. Another "hidden" approach is to use "cloudron env" CLI tool. This sets environment variables in an app. For example,cloudron env set FOO=bar. Note that environment variables starting withCLOUDRON_are reserved for cloudron packaging. -
I am building a custom Node.js app that makes API requests to a third party application. Where can I store secrets/credentials (API key) I would need during runtime? I do not want to store this in the docker container even in a private repo.
-
Putting things
/app/datais the preferred approach. Another "hidden" approach is to use "cloudron env" CLI tool. This sets environment variables in an app. For example,cloudron env set FOO=bar. Note that environment variables starting withCLOUDRON_are reserved for cloudron packaging. -
The Dockerfile entrypoint script (start.sh) executes server.js where Node.js server is initialized and starts "listening" to serve HTTP requests. Before it enters the listening state, I read the secret file from /app/data/secret.txt and set the variables used within this script. In this case, how and when exactly would the /app/data/secret.txt file be created?
sample server.js:
"use strict"; var http = require("http"); const fs = require('fs') var API_KEY = "" fs.readFile("/app/data/secret.txt", {"encoding": "utf8"}, function(err, data) { if (err) console.log(err); else { API_KEY = data; console.log("INFO::secret:" + API_KEY) } }); var server = http.createServer(function (request, response) { response.writeHead(200, {"Content-Type": "text/plain"}); response.end(API_KEY); }); server.listen(3000); console.log("Server running at port 3000"); -
The Dockerfile entrypoint script (start.sh) executes server.js where Node.js server is initialized and starts "listening" to serve HTTP requests. Before it enters the listening state, I read the secret file from /app/data/secret.txt and set the variables used within this script. In this case, how and when exactly would the /app/data/secret.txt file be created?
sample server.js:
"use strict"; var http = require("http"); const fs = require('fs') var API_KEY = "" fs.readFile("/app/data/secret.txt", {"encoding": "utf8"}, function(err, data) { if (err) console.log(err); else { API_KEY = data; console.log("INFO::secret:" + API_KEY) } }); var server = http.createServer(function (request, response) { response.writeHead(200, {"Content-Type": "text/plain"}); response.end(API_KEY); }); server.listen(3000); console.log("Server running at port 3000"); -
@saikarthik You can do a condition and display an error if the secret is not present. And after installing the app, you can create the secret file manually with the file manager
@mehdi said in How do you manage secrets/credentials during runtime?:
@saikarthik You can do a condition and display an error if the secret is not present. And after installing the app, you can create the secret file manually with the file manager
Is there anyway to automate this?
-
@mehdi said in How do you manage secrets/credentials during runtime?:
@saikarthik You can do a condition and display an error if the secret is not present. And after installing the app, you can create the secret file manually with the file manager
Is there anyway to automate this?
-
@saikarthik What kind of automation are you looking for? I mean if the token in said file is secret, there's gotta be a point where you enter it manually, isn't there?
@mehdi I agree. But there are definitely ways like using Terraform Vault or AWS secretsmanger, etc.
But I wanted to see how others are doing it and what the easiest way was in the cloudron environment/setup.My devops day job really got me into deploying everything with one-click lol. So just curious, this is not a deal breaker.
-
@mehdi I agree. But there are definitely ways like using Terraform Vault or AWS secretsmanger, etc.
But I wanted to see how others are doing it and what the easiest way was in the cloudron environment/setup.My devops day job really got me into deploying everything with one-click lol. So just curious, this is not a deal breaker.
@saikarthik Terraform Vault makes most sense. Wouldn't put anything of value on AWS.
Web Design https://www.evergreen.je
Development https://brandlight.org
Life https://marcusquinn.com -
@saikarthik Terraform Vault makes most sense. Wouldn't put anything of value on AWS.
@marcusquinn I havent worked with Terraform Vault, but are you saying this because AWS secrets manager saves things as plain text?
-
For anyone who stumbled upon this:
I ended up using environment variables instead of using the file in /app/data/ method, since its easier to work with, especially in Node.js so you don't have to worry about the asynchronous/synchronous problem. -
@marcusquinn I havent worked with Terraform Vault, but are you saying this because AWS secrets manager saves things as plain text?
@saikarthik Nope, I just don't like Amazon's ethics.
