Skip to content

Latest commit

 

History

History
 
 

fetch_secrets

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
google_secret_manager
google_secret_manager
 
 
README.md
README.md
 
 
helpers.js
helpers.js
 
 
helpers.test.js
helpers.test.js
 
 
index.js
index.js
 
 

README.md

Fetching Secrets

Secret Oak app config can be in a local file (.env), or fetched from a network location.

Local file

If a value for a secret is found in .env then this will override the value from the network location.

In order to not fetch secrets from the network location (and only read then from .env), add the following to your .env file:

USE_ONLY_LOCAL_SECRETS=true

Network location

Currently we support fetching secrets from Google Secret Manager

Google Secret Manager

In order to fetch secrets from Google Secret Manager, the Oak Config file must contain the following properties:

{
  "googleSecretManager": {
    "projectId": "[your-project-id]"
  },
}

In this case, the script will look for the following environment variable:

GOOGLE_SECRET_MANAGER_SERVICE_ACCOUNT='{"type":"service_account","project_id":...'

This service account will need the following permissions in order to access the app's secrets:

resourcemanager.projects.get
resourcemanager.projects.list
secretmanager.versions.access
secretmanager.secrets.list
# TODO: fill out required permissions