Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Passing app secrets in Yesod and Keter

I'm building a web app with Yesod and am currently passing in secrets such as API keys via environment variables (as per The Twelve-Factor App) to avoid storing these values in version-controlled configuration files. For example, I run my app in dev mode as follows:

SOME_API_KEY=value yesod devel

I have a value in my config/settings.yml file that is defined in terms of this environment variable with an empty value as follows:

meetup-api-key: "_env:SOME_API_KEY:"

To deploy using Keter, I'm building the Keter package using the yesod keter command and dropping the resulting file into Keter 'sincoming directory. Since I'm using environment variable configuration, my app's .keter file does not contain the SOME_API_KEY value (which is intentional).

How should I pass SOME_API_KEY into the instance of my app running inside Keter?

I would like to avoid baking the value into my keter-config.yaml for at least the following three reasons:

  1. It is less secure than the environment variable approach.
  2. Being embedded directly into the configuration file for Keter itself, as opposed to the configuration to the app, the secret cannot be changed without stopping and restarting the entire Keter process.
  3. The environment variables are passed into every app being managed by Keter.

I am hoping that there are some "best practices" out there for this scenario.

like image 397
Richard Cook Avatar asked Oct 14 '15 15:10

Richard Cook


1 Answers

Set your secrets as environment variables on your server and ‘forward’ them to your app using forward-env in config/keter.yml as seen in the following patch: https://github.com/snoyberg/keter/commit/9e9fca314fb78860fb5c9b08cad212d92b0b20d4

like image 64
Daniel Gasienica Avatar answered Oct 10 '22 22:10

Daniel Gasienica