How do you manage secrets/credentials during runtime?

saikarthik

I am building a custom Node.js app that makes API requests to a third party application. Where can I store secrets/credentials (API key) I would need during runtime? I do not want to store this in the docker container even in a private repo.

girish

Putting things /app/data is the preferred approach. Another "hidden" approach is to use "cloudron env" CLI tool. This sets environment variables in an app. For example, cloudron env set FOO=bar. Note that environment variables starting with CLOUDRON_ are reserved for cloudron packaging.

mehdi

@saikarthik Just put it in a file in /app/data that the app reads at runtime

girish

Putting things /app/data is the preferred approach. Another "hidden" approach is to use "cloudron env" CLI tool. This sets environment variables in an app. For example, cloudron env set FOO=bar. Note that environment variables starting with CLOUDRON_ are reserved for cloudron packaging.

saikarthik

The Dockerfile entrypoint script (start.sh) executes server.js where Node.js server is initialized and starts "listening" to serve HTTP requests. Before it enters the listening state, I read the secret file from /app/data/secret.txt and set the variables used within this script. In this case, how and when exactly would the /app/data/secret.txt file be created?

sample server.js:

"use strict";
var http = require("http");
const fs = require('fs')

var API_KEY = ""
fs.readFile("/app/data/secret.txt",
    {"encoding": "utf8"},
              function(err, data) {
     if (err)
        console.log(err);
     else {
        API_KEY = data;
        console.log("INFO::secret:" + API_KEY)
    }
 });

var server = http.createServer(function (request, response) {
  response.writeHead(200, {"Content-Type": "text/plain"});
  response.end(API_KEY);
});

server.listen(3000);
console.log("Server running at port 3000");

mehdi

@saikarthik You can do a condition and display an error if the secret is not present. And after installing the app, you can create the secret file manually with the file manager

saikarthik

@mehdi said in How do you manage secrets/credentials during runtime?:

@saikarthik You can do a condition and display an error if the secret is not present. And after installing the app, you can create the secret file manually with the file manager

Is there anyway to automate this?

mehdi

@saikarthik What kind of automation are you looking for? I mean if the token in said file is secret, there's gotta be a point where you enter it manually, isn't there?

saikarthik

@mehdi I agree. But there are definitely ways like using Terraform Vault or AWS secretsmanger, etc.
But I wanted to see how others are doing it and what the easiest way was in the cloudron environment/setup.

My devops day job really got me into deploying everything with one-click lol. So just curious, this is not a deal breaker.

marcusquinn

@saikarthik Terraform Vault makes most sense. Wouldn't put anything of value on AWS.

saikarthik

@marcusquinn I havent worked with Terraform Vault, but are you saying this because AWS secrets manager saves things as plain text?

saikarthik

For anyone who stumbled upon this:
I ended up using environment variables instead of using the file in /app/data/ method, since its easier to work with, especially in Node.js so you don't have to worry about the asynchronous/synchronous problem.

marcusquinn

@saikarthik Nope, I just don't like Amazon's ethics.

• https://www.ethicalconsumer.org/company-profile/amazoncom-inc