overview
Secrets.
In the platform, secrets and variables are provided as credentials and inputvars, respectively. The contents are actually stored in the users’ AWS account with Parameter Store. They are encrypted twice over - encrypted with AWS/KMS and encrypted with Config0. These secrets can only be access through AWS roles.1
-
Credentials: They serve to simplify the management of common third-party integrations. These credentials are encrypted and stored securely. They are referenced as environment variables within the platform.
-
Inputvars: They offer greater flexibility and are intended to replace credentials in the future. Like credentials, inputvars are also encrypted and stored securely. However, inputvars can be referenced not only as environment variables but also within stacks as stack arguments.
- For example, a specific stack argument can be accessed as
stack.inputvars[“slack_webhook_hash”]. - This allows for more granular control and customization within the stacks.
Conventions.
name | type | description | conventions |
---|---|---|---|
aws | credentials | aws iam pair keys | user-id => aws access key password => aws secret key fetched in env var => AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY |
do-token | credentials | digital ocean api token | user-id => < blank > password => api token fetched in env var => DO_TOKEN,DIGITALOCEAN_TOKEN,TF_VAR_DO_TOKEN |
gitlab-token | inputvars | gitlab api token | GITLAB_TOKEN => < gitlab api token > fetched in env var => GITLAB_TOKEN |
github-token | inputvars | github api token | GITHUB => < github token > GH_TOKEN => < github token > fetched in env var => GITHUB_TOKEN,GH_TOKEN |
dockerhub-token | inputvars | dockerhub api token | DOCKER_TOKEN => < dockerhub token > DOCKERHUB_TOKEN => < dockerhub token > fetched in env var => DOCKER_TOKEN,DOCKERHUB_TOKEN |
slack | inputvars | slack webhook | slack_webhook_hash => < slack webhook > fetch in stack => stack.inputvars[“slack_webhook_hash”] |
-
Config0 does not store these secrets or sensitive information. ↩