Skip to content

Add guide about secrets management with the Vault #321

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 12 commits into from
Jun 11, 2019
Merged

Add guide about secrets management with the Vault #321

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
e9f513c
feat(vault): add guide about Vault
Aschen Jun 5, 2019
df8fa60
feat(vault): add page on secrets in plugin context
Aschen Jun 5, 2019
425de00
feat(vault): add since badges
Aschen Jun 5, 2019
60c980c
Merge branch '3-dev' into KZL-1114-secrets-management
Aschen Jun 5, 2019
50bb95d
nit
Aschen Jun 5, 2019
f0dab5b
Merge branch 'KZL-1114-secrets-management' of github.com:kuzzleio/doc…
Aschen Jun 5, 2019
e78dc5e
Apply suggestions from code review
Aschen Jun 6, 2019
b94185a
Merge branch '3-dev' into KZL-1114-secrets-management
Aschen Jun 7, 2019
b2b6de8
Apply suggestions from code review
Aschen Jun 11, 2019
c22e19e
Merge branch '3-dev' into KZL-1114-secrets-management
alexandrebouthinon Jun 11, 2019
e6a9a43
Merge branch '3-dev' into KZL-1114-secrets-management
benoitvidis Jun 11, 2019
63b4e9d
Merge branch '3-dev' into KZL-1114-secrets-management
xbill82 Jun 11, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
96 changes: 96 additions & 0 deletions src/core/1/guides/essentials/secrets-vault/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
---
code: false
type: page
title: Secrets Vault
order: 700
---

# Secrets Vault

<SinceBadge version="1.8.0" />

When you develop an application with Kuzzle, you may need to use secrets such as API keys or authentication information.

Of course, it is unacceptable to version these secrets in cleartext with the rest of your source code.

However, it is still practical to be able to share these secrets with the rest of your team, or to add them to the repository for automated production.

Kuzzle offers a secure storage system for these secrets, the operation is as follows:
- writing secrets to a JSON file,
- manual encryption of this file with a password,
- adding the encrypted file to the repository,
- automatic decryption of the file when Kuzzle starts,
- exposing the secrets in the context of plugins.

Thus, the only secret that it is necessary to communicate to the rest of his team is the encryption password of this file.

## Secrets file format

The secrets file is in JSON format. Each string value will be encrypted but the key names will remain the same.

```js
/* config/secrets.json */
{
"aws": {
"secretKeyId": "lfiduras"
},
"cloudinaryKey": "ho-chi-minh"
}
```

Once encrypted, the file will be the following:

```js
/* config/secrets.enc.json */
{
"aws": {
"secretKeyId": "536553f3181ada6f700cac98100f1266.3181ada66536553f"
},
"cloudinaryKey": "f700cac98100f1266536553f3181ada6.6536553f3181ada"
}
```

## Encrypt and decrypt with the CLI

The encryption of a secret file is done using the CLI with the following command:

```bash
./bin/kuzzle encryptSecrets config/secrets.json --vault-key strongpassword
[ℹ] Encrypting secrets...
[✔] Secrets successfully encrypted: config/secrets.enc.json
```

The file `config/secrets.enc.json` can be added safely to the project repository.

To decrypt a previously encrypted file, use the following command:

```bash
./bin/kuzzle decryptSecrets config/secrets.enc.json --vault-key strongpassword
[ℹ] Decrypting secrets...
[✔] Secrets successfully encrypted: config/secrets.json
```

::: info
You can also specify the vault key in the `KUZZLE_VAULT_KEY` environment variable.
:::

## Load encrypted secrets at startup

Kuzzle will try to decrypt the provided file in one of the following ways in order of priority:
- in the command `./bin/kuzzle start --secrets-file /var/secrets.enc.json`
- in an environment variable `export KUZZLE_SECRETS_FILE=/var/secrets.enc.json`
- the default one present at the location `<kuzzle dir>/config/secrets.enc.json`

The decryption key must be provided in one of the following ways, always in order of priority:
- in the command `./bin/kuzzle start --vault-key verystrongpassword`
- in an environment variable `export KUZZLE_VAULT_KEY=verystrongpassword`

Kuzzle start is interrupted if:
- a decryption key is provided and Kuzzle cannot find a file
- Kuzzle finds a file and no decryption key is provided

## Access secrets in plugin

Once Kuzzle has successfully loaded the file containing the secrets, he will expose its content to all the plugins.

Secrets are accessible in the [secrets](/core/1/plugins/plugin-context/secrets) property of the plugin context.
33 changes: 33 additions & 0 deletions src/core/1/plugins/plugin-context/secrets/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
---
code: true
type: page
title: secrets
---

# secrets

<SinceBadge version="1.8.0" />

Secrets contained in the [Vault](/core/1/guides/essentials/secrets-vault) and loaded at Kuzzle startup.

They have the same format as in the JSON file:

```js
/* config/secrets.enc.json */
{
"aws": {
"keyId": "a47de7426fbcb8904290e376f147bc73.8e4b35be62ecbc53"
}
}
```

```js
init (config, context) {
console.log(context.secrets);
// {
// aws: {
// keyId: 'aws key id'
// }
// }
}
```