Secrets Management

The Ops Platform secrets feature is a key component in building a scalable and secure workflow automation system for your team. For example, running Ops from within Slack is easy, but entering passwords or other types of secrets into the Slack UI is not secure (anything entered into the UI is available on the Slack servers). To solve this problem, the Ops Platform enables you to connect your secrets provider to your Ops. (We currently support Hashicorp Vault, but we expect to add more providers in the future.) By integrating a third-party secrets provider, you can rest assured that your shared secrets are safe.

Using the Default Provider

When you create a team for The Ops Platform, you will get a default encryped secrets provider out of the box. You can optionally register your own provider.

To see if any secrets are set for your current team, run this command:

ops secrets:list

When you first create a team, you'll see the message:

   Try again or run $ ops team:switch to switch your current team.

Setting a Secret

ops secrets:set

You will then be prompted for the name and value of the secret. Once you have added a name and a value for your new secret, you'll see this confirmation message:

🙌 Great job! Secret key has been added to your team teamname!

Using a Secret

To make use of a stored secret in one of your Ops, you can use the SDK prompt for a password. Here is the Node.js example:

const inputPrompts = [
  {
    type: 'secret',
    name: 'keyName’',
    message: 'Enter your secret here',
  },
]

// INPUT
const { keyName } = await ux.prompt(inputPrompts)

Registering a new Secrets Provider

To set up a secrets provider for your team, you can use the default secret store which we provide for your team. However, in production, we recommend you consider HashiCorp Vault.

Using Hashicorp Vault

We provide a secrets store that is setup by default for your account. However, if you would prefer to use Hashicorp Vault, you can optionally use that as your secret provider.

If you are not familiar with Vault, these instructions will help you set up a testing instance so that you can try The Ops Platform with Vault. If you wish to use Vault in your production environmet, you will need to use a production deployment of Vault--not a local test instance as you'll set up in this tutorial.

Install Vault locally

Download the Hashicorp Vault binary and run it on your computer.
From the directory where you downloaded the binary, run: ./vault server -dev

Note: If you’re using Vault on MacOS, you may see an error when you first try to run Vault. If you see this error, you’ll have to allow the executable to run. To do this, open System Preferences > Security and Privacy and choose “Open Anyway” for the error that Vault was blocked.

Retrieve ROOT_TOKEN from the logs

You can use the returned token to register your vault with the Ops CLI

ops run @vahid/vault --url "http://host.docker.internal:8200" --token [ROOT_TOKEN] --team [YOUR_TEAM_NAME] configure

This will setup the team structure in the vault and will return a new team token associated with your team.

Note: You can retrieve your current team name by running: ops whoami

You can also use this Op to work with the created team in the vault. For example, you can show the existing secrets: ops run vault --url "http://host.docker.internal:8200" --token [TEAM_TOKEN] --team [YOUR_TEAM_NAME] secret list

You can also check the contents of your Vault by viewing the UI in a web browser: the vault UI: http://127.0.0.1:8200/ui/vault/secrets.

Note: once you have the Vault installed, you will need to create a static URL so that it’s accessible externally. You would not do this for production, it’s only for this exercise and you should turn off the connection after you are done.

Exposing your local vault to the public Internet requires a service such as https://ngrok.com

Install ngrok

To set up ngrok, follow these steps: https://dashboard.ngrok.com/get-started. Essentially, you need to install the application and then add your authentication token. After that, you can add your internal Vault as a public URL by running: ./ngrok http 8200. When you run this command, ngrok will open a terminal UI that shows the URL in use for your Vault.

Once you have your Vault set up and it’s accessible publicly via the Internet, you can register your new provider using:

ops secrets:register

Enter the URL (your public Vault URL from ngrok plus the team name, e.g., http://xxxx.ngrok.io/teamName) and token you received when you set up the provider for your team.

After you have registered your new provider, you can set and use secrets with the same commands as the default provider.