Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Solved How do you manage secrets/credentials during runtime?

    Support
    secrets env
    4
    12
    422
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      saikarthik last edited by girish

      I am building a custom Node.js app that makes API requests to a third party application. Where can I store secrets/credentials (API key) I would need during runtime? I do not want to store this in the docker container even in a private repo.

      mehdi 1 Reply Last reply Reply Quote 0
      • girish
        girish Staff last edited by

        Putting things /app/data is the preferred approach. Another "hidden" approach is to use "cloudron env" CLI tool. This sets environment variables in an app. For example, cloudron env set FOO=bar. Note that environment variables starting with CLOUDRON_ are reserved for cloudron packaging.

        1 Reply Last reply Reply Quote 1
        • mehdi
          mehdi App Dev @saikarthik last edited by

          @saikarthik Just put it in a file in /app/data that the app reads at runtime

          1 Reply Last reply Reply Quote 2
          • girish
            girish Staff last edited by

            Putting things /app/data is the preferred approach. Another "hidden" approach is to use "cloudron env" CLI tool. This sets environment variables in an app. For example, cloudron env set FOO=bar. Note that environment variables starting with CLOUDRON_ are reserved for cloudron packaging.

            1 Reply Last reply Reply Quote 1
            • S
              saikarthik last edited by saikarthik

              The Dockerfile entrypoint script (start.sh) executes server.js where Node.js server is initialized and starts "listening" to serve HTTP requests. Before it enters the listening state, I read the secret file from /app/data/secret.txt and set the variables used within this script. In this case, how and when exactly would the /app/data/secret.txt file be created?

              sample server.js:

              "use strict";
              var http = require("http");
              const fs = require('fs')
              
              var API_KEY = ""
              fs.readFile("/app/data/secret.txt",
                  {"encoding": "utf8"},
                            function(err, data) {
                   if (err)
                      console.log(err);
                   else {
                      API_KEY = data;
                      console.log("INFO::secret:" + API_KEY)
                  }
               });
              
              var server = http.createServer(function (request, response) {
                response.writeHead(200, {"Content-Type": "text/plain"});
                response.end(API_KEY);
              });
              
              server.listen(3000);
              console.log("Server running at port 3000");
              
              mehdi 1 Reply Last reply Reply Quote 0
              • mehdi
                mehdi App Dev @saikarthik last edited by

                @saikarthik You can do a condition and display an error if the secret is not present. And after installing the app, you can create the secret file manually with the file manager

                S 1 Reply Last reply Reply Quote 1
                • S
                  saikarthik @mehdi last edited by saikarthik

                  @mehdi said in How do you manage secrets/credentials during runtime?:

                  @saikarthik You can do a condition and display an error if the secret is not present. And after installing the app, you can create the secret file manually with the file manager

                  Is there anyway to automate this?

                  mehdi 1 Reply Last reply Reply Quote 0
                  • mehdi
                    mehdi App Dev @saikarthik last edited by

                    @saikarthik What kind of automation are you looking for? I mean if the token in said file is secret, there's gotta be a point where you enter it manually, isn't there?

                    S 1 Reply Last reply Reply Quote 0
                    • S
                      saikarthik @mehdi last edited by saikarthik

                      @mehdi I agree. But there are definitely ways like using Terraform Vault or AWS secretsmanger, etc.
                      But I wanted to see how others are doing it and what the easiest way was in the cloudron environment/setup.

                      My devops day job really got me into deploying everything with one-click lol. So just curious, this is not a deal breaker.

                      marcusquinn 1 Reply Last reply Reply Quote 0
                      • marcusquinn
                        marcusquinn @saikarthik last edited by

                        @saikarthik Terraform Vault makes most sense. Wouldn't put anything of value on AWS.

                        We're not here for a long time - but we are here for a good time :)
                        Jersey/UK
                        Work & Ecommerce Advice: https://brandlight.org
                        Personal & Software Tips: https://marcusquinn.com

                        S 1 Reply Last reply Reply Quote 1
                        • S
                          saikarthik @marcusquinn last edited by

                          @marcusquinn I havent worked with Terraform Vault, but are you saying this because AWS secrets manager saves things as plain text?

                          marcusquinn 1 Reply Last reply Reply Quote 0
                          • S
                            saikarthik last edited by

                            For anyone who stumbled upon this:
                            I ended up using environment variables instead of using the file in /app/data/ method, since its easier to work with, especially in Node.js so you don't have to worry about the asynchronous/synchronous problem.

                            1 Reply Last reply Reply Quote 1
                            • marcusquinn
                              marcusquinn @saikarthik last edited by

                              @saikarthik Nope, I just don't like Amazon's ethics.

                              • https://www.ethicalconsumer.org/company-profile/amazoncom-inc

                              We're not here for a long time - but we are here for a good time :)
                              Jersey/UK
                              Work & Ecommerce Advice: https://brandlight.org
                              Personal & Software Tips: https://marcusquinn.com

                              1 Reply Last reply Reply Quote 1
                              • First post
                                Last post
                              Powered by NodeBB