How do you manage secrets/credentials during runtime?
-
Putting things
/app/data
is the preferred approach. Another "hidden" approach is to use "cloudron env" CLI tool. This sets environment variables in an app. For example,cloudron env set FOO=bar
. Note that environment variables starting withCLOUDRON_
are reserved for cloudron packaging. -
The Dockerfile entrypoint script (start.sh) executes server.js where Node.js server is initialized and starts "listening" to serve HTTP requests. Before it enters the listening state, I read the secret file from /app/data/secret.txt and set the variables used within this script. In this case, how and when exactly would the /app/data/secret.txt file be created?
sample server.js:
"use strict"; var http = require("http"); const fs = require('fs') var API_KEY = "" fs.readFile("/app/data/secret.txt", {"encoding": "utf8"}, function(err, data) { if (err) console.log(err); else { API_KEY = data; console.log("INFO::secret:" + API_KEY) } }); var server = http.createServer(function (request, response) { response.writeHead(200, {"Content-Type": "text/plain"}); response.end(API_KEY); }); server.listen(3000); console.log("Server running at port 3000");
-
@saikarthik You can do a condition and display an error if the secret is not present. And after installing the app, you can create the secret file manually with the file manager
-
@mehdi said in How do you manage secrets/credentials during runtime?:
@saikarthik You can do a condition and display an error if the secret is not present. And after installing the app, you can create the secret file manually with the file manager
Is there anyway to automate this?
-
@saikarthik What kind of automation are you looking for? I mean if the token in said file is secret, there's gotta be a point where you enter it manually, isn't there?
-
@mehdi I agree. But there are definitely ways like using Terraform Vault or AWS secretsmanger, etc.
But I wanted to see how others are doing it and what the easiest way was in the cloudron environment/setup.My devops day job really got me into deploying everything with one-click lol. So just curious, this is not a deal breaker.
-
@saikarthik Terraform Vault makes most sense. Wouldn't put anything of value on AWS.
-
@marcusquinn I havent worked with Terraform Vault, but are you saying this because AWS secrets manager saves things as plain text?
-
For anyone who stumbled upon this:
I ended up using environment variables instead of using the file in /app/data/ method, since its easier to work with, especially in Node.js so you don't have to worry about the asynchronous/synchronous problem. -
@saikarthik Nope, I just don't like Amazon's ethics.