Passing app secrets in Yesod and Keter

Question

I'm building a web app with Yesod and am currently passing in secrets such as API keys via environment variables (as per The Twelve-Factor App) to avoid storing these values in version-controlled configuration files. For example, I run my app in dev mode as follows:

SOME_API_KEY=value yesod devel

I have a value in my config/settings.yml file that is defined in terms of this environment variable with an empty value as follows:

meetup-api-key: "_env:SOME_API_KEY:"

To deploy using Keter, I'm building the Keter package using the yesod keter command and dropping the resulting file into Keter 'sincoming directory. Since I'm using environment variable configuration, my app's .keter file does not contain the SOME_API_KEY value (which is intentional).

How should I pass SOME_API_KEY into the instance of my app running inside Keter?

I would like to avoid baking the value into my keter-config.yaml for at least the following three reasons:

1. It is less secure than the environment variable approach.
2. Being embedded directly into the configuration file for Keter itself, as opposed to the configuration to the app, the secret cannot be changed without stopping and restarting the entire Keter process.
3. The environment variables are passed into every app being managed by Keter.

I am hoping that there are some "best practices" out there for this scenario.

Answer 1

Set your secrets as environment variables on your server and ‘forward’ them to your app using forward-env in config/keter.yml as seen in the following patch: https://github.com/snoyberg/keter/commit/9e9fca314fb78860fb5c9b08cad212d92b0b20d4