Secrets
In the platform, secrets and variables are provided as credentials and inputvars, respectively. The contents are stored in the users’ AWS account with Parameter Store. They are encrypted twice - once with AWS/KMS and once with Config0. These secrets can only be accessed through AWS roles.1
Credential Types
-
Credentials: Simplify management of common third-party integrations. These are encrypted, stored securely, and referenced as environment variables within the platform.
-
Inputvars: Offer greater flexibility and are intended to replace credentials in the future. Like credentials, inputvars are also encrypted and stored securely. However, inputvars can be referenced not only as environment variables but also within stacks as stack arguments.
- For example, a specific stack argument can be accessed as
stack.inputvars["slack_webhook_hash"] - This allows for more granular control and customization within stacks.
Conventions
| Name | Type | Description | Conventions |
|---|---|---|---|
| aws | credentials | AWS IAM pair keys | user-id → AWS access key password → AWS secret key fetched in env var → AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY |
| do-token | credentials | Digital Ocean API token | user-id → blank password → API token fetched in env var → DO_TOKEN, DIGITALOCEAN_TOKEN, TF_VAR_DO_TOKEN |
| github-token | inputvars | GitHub API token | GITHUB_TOKEN → GitHub token fetch in stack → stack.inputvars["github_token"] |
| docker-token | inputvars | Docker token | DOCKER_TOKEN → Docker token fetch in stack → stack.inputvars["docker_token"] |
| slack | inputvars | Slack webhook | slack_webhook_hash → Slack webhook fetch in stack → stack.inputvars["slack_webhook_hash"] |
-
Config0 does not store these secrets or sensitive information. ↩