Inject Secrets Into Services During Execution

Secret information that is stored in torero's secret store can be injected into your service as an environment variable during execution. Examples of secret information that you may want to inject into your services include passwords, API tokens, and AWS credentials.

This guide assumes that you already have your secret store set up with an encryption key. If you do not yet have torero's secret store configured, see the general secrets documentation.

---

Associating Secrets On Service Creation

Secrets that are stored in torero's secret store can be associated with a service when it is being created via the --secret flag within any of the torero create service commands.

The syntax of the --secret flag can be seen in the example below:

--secret name=name-of-secret-in-secret-store,type=env,target=ENV_VAR_NAME

There are 3 sections that are separated by commas within this syntax.

• name - The name of the secret in the secret store.
• type - The manner in which the secret will be injected into the service. This must be set to env as only environment variables are supported today.
• target - The name of the environment variable that will set during execution.

See the following real world example of creating a Python Script service called my-script. The service utilizes an API key stored in torero's secret store called my-api-key. The value of my-api-key will be injected into the script at execution time via an environment variable called API_KEY.

>_ torero create service python-script my-script \
--secret name=my-api-key,type=env,target=API_KEY \
--repository my-repo \
--filename main.py

This will ensure that the api key is injected into the service during every execution.

---

Associating Secrets On Service Execution

To specify that a secret should be injected into a service when running a service, you can either utilize the --set-secret flag available on the torero run service commands or specify that a secret is being used on a decorator.

Using The --set-secret Flag

The --set-secret flag has the same syntax as the flag used at service creation time.

An example of specifying that a secret stored in torero's secret store called my-password as an environment variable called PASSWORD can be seen below.

>_ torero run service python-script some-script \
--set-secret name=my-password,type=env,target=PASSWORD

Specifying Secrets On Decorators

You can specify that a secret be injected into a service when run using the custom annotations x-itential-secret-type and x-itential-secret-target. A decorator that requests the name of a secret in the secret store with a value of a password would resemble what is shown below.

{
  "$id": "root",
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "type": "object",
  "properties": {
    "password": {
      "type": "string",
      "x-itential-secret-type": "env",
      "x-itential-secret-target": "PASSWORD"
    }
  },
  "required": [
    "password"
  ],
  "additionalProperties": false
}

The value that is given for password will be the name of the secret in torero's secret store. x-itential-secret-type must be set to env as it denotes that the password will be injected into the service as an environment variable when executed. Environment variables are currently the only secret type available. x-itential-secret-target denotes that the name of the environment variable to be injected when the service is executed.

Since the name of a secret in torero's secret store will always be a string, secret properties for torero decorators must always be of type string.

Once you have a secret set on a decorator, you can specify the name of the secret in the secret store using the --set flag as you normally would for decorator values.

If we had a Python script that utilizes the decorator above, and you have a password in the secret store called my-password we would use the following syntax

>_ torero run service python-script my-script --set password=my-password

The value of the secret my-password would then be injected into the Python script as an environment variable with a key of PASSWORD.