Secret configurations: Securely storing credentials
Secret configurations are a type of keyring well-suited for storing credentials like personal access tokens (PATs) and multi-field tokens (often stored in JSON format).
PAT keyrings
Personal access tokens (PATs) are API keys generated by services like GitHub or GitLab, or by cloud platforms like AWS or Azure. These tokens grant programmatic access to specific resources or functionalities within the service, on behalf of a user.
Imagine your snap-in needs to interact with a user’s GitHub repository. Instead of embedding the user’s username and password directly in your code (a major security risk!), you can leverage secret configurations. During installation, your snap-in can prompt the user to provide their PAT for GitHub access. This PAT is then securely stored within a secret configuration keyring. Whenever your snap-in needs to interact with the user’s GitHub repository, it retrieves the PAT from the keyring and uses it for authorization.
To use secret configurations in your snap-in, you need to declare them in your snap-in’s manifest file. Here’s a syntax of how you can declare a secret configuration keyring:
DevRev offers pre-defined keyring types for simplified credential management. This pre-defined type eliminates the need to create a custom keyring type specifically for PATs.
Multi-field keyrings
Multi-field tokens are a broader category that often come in JSON format. They can contain various fields with different pieces of information needed for authorization with a service.
Some services might use custom authentication mechanisms that require more than just a single token value. These services might provide credentials in JSON format, containing fields like access keys, secret keys, or expiration times. Secret configurations offer a secure way to store these multi-field tokens within your snap-in.
To use secret configurations in your snap-in, you need to declare them in your snap-in’s manifest file. Here’s a syntax of how you can declare a secret configuration keyring:
This section defines a keyring within your organization. You can specify the keyring’s name, a user-friendly display name for during installation, and a description explaining its purpose. Finally, you associate this keyring with a specific keyring type ID defined later.
Basic authentication with keyrings
For more information about basic authentication, you can refer to the Wikipedia article: Basic authentication. This resource provides detailed information about the protocol and its potential security considerations.
Here’s an syntax of how you can define a secret configuration keyring for basic authentication in your snap-in’s manifest file:
This section defines a keyring within your organization. You can specify the keyring’s name, a user-friendly display name for during installation, and a description explaining its purpose. Finally, you associate this keyring with a specific keyring type ID defined later.
- The
secret_transform
field is intended for more advanced scenarios where the secret needs to be transformed before use. For example, it could be used to hash a password before storing it within the keyring. The jq query provided in this field will be applied to the secret data before it is stored. - The
is_subdomain
field is optional and specifies whether the keyring contains a subdomain. Enabling this field allows the keyring to get the subdomain from the user during creation. This is useful when the keyring requires a subdomain as part of the configuration.
Keyring types
The supported keywords that can be dynamically inserted into URLs, headers, and query parameters within your custom keyring type configuration.
[API_KEY]
: The API key obtained from the secret configuration.[SUBDOMAIN]
: The subdomain obtained from the secret configuration.[FIELD_ID]
: The field ID obtained from the secret configuration.
Here, you can refer to the keyring type examples.