Secrets Management
The Ops Platform secrets feature is a key component in building a scalable and secure workflow automation system for your team. For example, running Ops from within Slack is easy, but entering passwords or other types of secrets into the Slack UI is not secure (anything entered into the UI is available on the Slack servers). To solve this problem, the Ops Platform enables you to connect your secrets provider to your Ops. (We currently support Hashicorp Vault, but we expect to add more providers in the future.) By integrating a third-party secrets provider, you can rest assured that your shared secrets are safe.
Using the Default Provider
When you create a team for The Ops Platform, you will get a default encryped secrets provider out of the box. You can optionally register your own provider.
To see if any secrets are set for your current team, run this command:
ops secrets:list
When you first create a team, you'll see the message:
Try again or run $ ops team:switch to switch your current team.
Setting a Secret
ops secrets:set
You will then be prompted for the name and value of the secret. Once you have added a name and a value for your new secret, you'll see this confirmation message:
đ Great job! Secret key has been added to your team teamname!
Using a Secret
To make use of a stored secret in one of your Ops, you can use the SDK prompt for a password. Here is the Node.js example:
const inputPrompts = [
{
type: 'secret',
name: 'keyNameâ',
message: 'Enter your secret here',
},
]
// INPUT
const { keyName } = await ux.prompt(inputPrompts)
Registering a new Secrets Provider
To set up a secrets provider for your team, you can use the default secret store which we provide for your team. However, in production, we recommend you consider HashiCorp Vault.
Using Hashicorp Vault
We provide a secrets store that is setup by default for your account. However, if you would prefer to use Hashicorp Vault, you can optionally use that as your secret provider.
If you are not familiar with Vault, these instructions will help you set up a testing instance so that you can try The Ops Platform with Vault. If you wish to use Vault in your production environmet, you will need to use a production deployment of Vault--not a local test instance as you'll set up in this tutorial.
Install Vault locally
Download the Hashicorp Vault binary and run it on your computer.
From the directory where you downloaded the binary, run: ./vault server -dev
Note: If youâre using Vault on MacOS, you may see an error when you first try to run Vault. If you see this error, youâll have to allow the executable to run. To do this, open System Preferences > Security and Privacy and choose âOpen Anywayâ for the error that Vault was blocked.
Retrieve ROOT_TOKEN from the logs
You can use the returned token to register your vault with the Ops CLI
ops run @vahid/vault --url "http://host.docker.internal:8200" --token [ROOT_TOKEN] --team [YOUR_TEAM_NAME] configure
This will setup the team structure in the vault and will return a new team token associated with your team.
Note: You can retrieve your current team name by running:
ops whoami
You can also use this Op to work with the created team in the vault. For example, you can show the existing secrets: ops run vault --url "http://host.docker.internal:8200" --token [TEAM_TOKEN] --team [YOUR_TEAM_NAME] secret list
You can also check the contents of your Vault by viewing the UI in a web browser: the vault UI: http://127.0.0.1:8200/ui/vault/secrets.
Note: once you have the Vault installed, you will need to create a static URL so that itâs accessible externally. You would not do this for production, itâs only for this exercise and you should turn off the connection after you are done.
Exposing your local vault to the public Internet requires a service such as https://ngrok.com
Install ngrok
To set up ngrok, follow these steps: https://dashboard.ngrok.com/get-started. Essentially, you need to install the application and then add your authentication token. After that, you can add your internal Vault as a public URL by running: ./ngrok http 8200. When you run this command, ngrok will open a terminal UI that shows the URL in use for your Vault.
Once you have your Vault set up and itâs accessible publicly via the Internet, you can register your new provider using:
ops secrets:register
Enter the URL (your public Vault URL from ngrok plus the team name, e.g., http://xxxx.ngrok.io/teamName) and token you received when you set up the provider for your team.
After you have registered your new provider, you can set and use secrets with the same commands as the default provider.
đ What's next?
- Our Build an Op Tutorial includes step by step on how secrets can be used in your Ops
- To see how you can request an secret on your Ops, please go to the NodeJS, Python, Golang or Bash SDK pages