Skip to content

overview

Secrets.

In the platform, secrets and variables are provided as credentials and inputvars, respectively. The contents are actually stored in the users’ AWS account with Parameter Store. They are encrypted twice over - encrypted with AWS/KMS and encrypted with Config0. These secrets can only be access through AWS roles.1

  • Credentials: They serve to simplify the management of common third-party integrations. These credentials are encrypted and stored securely. They are referenced as environment variables within the platform.

  • Inputvars: They offer greater flexibility and are intended to replace credentials in the future. Like credentials, inputvars are also encrypted and stored securely. However, inputvars can be referenced not only as environment variables but also within stacks as stack arguments.

  • For example, a specific stack argument can be accessed as
    stack.inputvars[“slack_webhook_hash”].
  • This allows for more granular control and customization within the stacks.

Conventions.


name type description conventions
aws credentials aws iam pair keys user-id => aws access key
password => aws secret key
fetched in env var =>
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY
do-token credentials digital ocean api token user-id => < blank >
password => api token
fetched in env var =>
DO_TOKEN,DIGITALOCEAN_TOKEN,TF_VAR_DO_TOKEN
gitlab-token inputvars gitlab api token GITLAB_TOKEN =>
< gitlab api token >
fetched in env var =>
GITLAB_TOKEN
github-token inputvars github api token GITHUB =>
< github token >
GH_TOKEN =>
< github token >
fetched in env var =>
GITHUB_TOKEN,GH_TOKEN
dockerhub-token inputvars dockerhub api token DOCKER_TOKEN =>
< dockerhub token >
DOCKERHUB_TOKEN =>
< dockerhub token >
fetched in env var =>
DOCKER_TOKEN,DOCKERHUB_TOKEN
slack inputvars slack webhook slack_webhook_hash =>
< slack webhook >
fetch in stack =>
stack.inputvars[“slack_webhook_hash”]

  1. Config0 does not store these secrets or sensitive information.