The Secret Store

Storing secrets in a secure way
You're viewing a development version of router, the latest released version is 1.24.0

The current page The Secret Store doesn't exist in version 1.24.0 of the documentation for this product.
We can take you to the closest parent section instead: /docs/acd/components/router/1.24.0/configuration/

Secrets

A secret is a string that can be used for things such as signing tokens or for authenticating with systems. A secret must be kept secret from all outside parties.

Configuring a Secret

A secret is stored in a secrets file. The entire file content is the secret, i.e: there is one secret per file.

Edit - or just echo - a well kept secret to a file (trailing whitespace is ignored):

$ echo abrakadabra > /opt/edgeware/acd/router/secrets/sec-1.txt

Configure a secret, referring to the same file name:

$ confcli integration.secrets -w
Running wizard for resource 'secrets'

Hint: Hitting return will set a value to its default.
Enter '?' to receive the help string

secrets : {
  enabled (default: False): true
  refreshIntervalSeconds (default: 60):
  secretStore : [
    secretStore : {
      id (default: ): sec-1
      type (default: file):
      resourceName (default: ): sec-1.txt
    }
    Add another 'secretStore' element to array 'secretStore'? [y/N]:
  ]
}
Generated config:
{
  "secrets": {
    "enabled": true,
    "refreshIntervalSeconds": 60,
    "secretStore": [
      {
        "id": "sec-1",
        "type": "file",
        "resourceName": "sec-1.txt"
      }
    ]
  }
}
Merge and apply the config? [y/n]: y
  • enabled enables/disables all secrets. Disabling secrets will disable polling of, and access to the resources. It will not disable token verification.
  • refreshIntervalSeconds the interval with which to update the cache. Secrets are cached in RAM for efficient token verification.
  • id is any name. It is important, as it will be referred from the verification.
  • type the type of resource holding the secret. Currently the only supported type is file.
  • resourceName the file path under /opt/edgeware/acd/router/secrets; typically in the form of secret1.txt. The form account1/secret1.txt is also possible. (Absolute paths, with a leading /, are allowed, but risky since paths inside the Podman container can differ from host paths.)

Secret usage in the Director

Secrets are typically used by the built-in token verification and generation. It is also possible to access configured secrets from Lua, in order to implement any other custom verification algorithm.