secret
Fluvio cloud secrets are set via the CLI. Each secret is a named value with all secrets sharing a namespace per account. Connector configuration files can refer to secrets by name, and the cloud connector infrastructure will provision the connector with the named secrets.
Due to security concerns, listing actual secret values or downloading them after they have been set is not allowed. However, a listing of secret names as well as what date they were last set is accessible.
fluvio cloud secret
subcommands
The secrets CLI is an added subcommand fluvio cloud as 'fluvio cloud secret'.
Actions possible with a fluvio cloud secret are:
- set
- delete
- list
fluvio cloud secret set <NAME> <VALUE>
fluvio cloud secret list
fluvio cloud secret delete <NAME>
fluvio cloud secret set
Setting a secret of <NAME>
will allow it to be referenced by that name in connector configuration parameters that can use secret references.
fluvio cloud secret set <NAME> <VALUE>
All secrets are in a shared connector namespace, but a specific connector is only given access to secrets named in the configuration file of the connector.
fluvio cloud secret list
fluvio cloud secret list
will list only the secret names and their last update time. Once a secret has been set into fluvio cloud, it is stored so only referencing connectors may access the secret. There is no way to retrieve the secret value from fluvio cloud.
$ fluvio cloud secret list
SecretNames LastUpdate
CAT_FACTS_CLIENT_ID 12-10-2022 1:07pm
CAT_FACTS_SECRET 01-02-2023 12:01am
fluvio cloud secret delete
This will delete the named secret.
fluvio cloud secret delete <NAME>
Connector config file references
The connector config files can reference cloud secrets by NAME. They need to be referenced on meta section of connector config. And then we can use the secret name in the connector configuration parameters. The secret can be used in the configuration as ${{ secrets.<NAME> }}
.
apiVersion: 0.1.0
meta:
version: x.y.z
name: my-connector
type: package-name
topic: a-topic
secrets:
- name: CAT_FACTS_CLIENT_ID
- name: CAT_FACTS_SECRET
# named section for custom config parameters, usually a short name like "http", or "mqtt"
<CUSTOM>:
param_client_id: ${{ secrets.CAT_FACTS_CLIENT_ID }}
param_client_secret: ${{ secrets.CAT_FACTS_SECRET }}
Example
An example of a connector that can use secret parameters, the http connector might be setup and configured as follows.
- Setup a secret
$ fluvio cloud secret set AUTH_HEADER "1234abcd"
- Write a connector config
http-config-with-secret.yaml
$ cat << END_CONFIG > http-config-with-secret.yaml
apiVersion: 0.1.0
meta:
version: x.y.z
name: cat-facts
type: http-source
topic: cat-facts-secret
secrets:
- name: AUTH_HEADER
http:
endpoint: "https://catfact.ninja/fact"
interval: 10s
headers:
- "Authorization: bearer ${{ secrets.AUTH_HEADER }}"
END_CONFIG
- Run the connector
$ fluvio cloud connector --config http-config-with-secret.yaml
This same configuration file is compatible with both fluvio cloud connectors and cdk locally run connectors. The cloud connectors are provisioned via the fluvio cloud secret ...
set of commands, while the cdk secrets are provided locally.