The Secret Store
Storing secrets in a secure way
You're viewing a development version of router,
the latest released version is 1.24.0
Page not available in that version
The current page The Secret Store doesn't exist in version 1.24.0 of the documentation for this product.
We can take you to the closest parent section instead: /docs/acd/components/router/1.24.0/configuration/
Secrets
A secret is a string that can be used for things such as signing tokens or for authenticating with systems. A secret must be kept secret from all outside parties.
Configuring a Secret
A secret is stored in a secrets file. The entire file content is the secret, i.e: there is one secret per file.
Edit - or just echo - a well kept secret to a file (trailing whitespace is ignored):
$ echo abrakadabra > /opt/edgeware/acd/router/secrets/sec-1.txt
Configure a secret, referring to the same file name:
$ confcli integration.secrets -w
Running wizard for resource 'secrets'
Hint: Hitting return will set a value to its default.
Enter '?' to receive the help string
secrets : {
enabled (default: False): true
refreshIntervalSeconds (default: 60):
secretStore : [
secretStore : {
id (default: ): sec-1
type (default: file):
resourceName (default: ): sec-1.txt
}
Add another 'secretStore' element to array 'secretStore'? [y/N]:
]
}
Generated config:
{
"secrets": {
"enabled": true,
"refreshIntervalSeconds": 60,
"secretStore": [
{
"id": "sec-1",
"type": "file",
"resourceName": "sec-1.txt"
}
]
}
}
Merge and apply the config? [y/n]: y
enabledenables/disables all secrets. Disabling secrets will disable polling of, and access to the resources. It will not disable token verification.refreshIntervalSecondsthe interval with which to update the cache. Secrets are cached in RAM for efficient token verification.idis any name. It is important, as it will be referred from theverification.typethe type of resource holding the secret. Currently the only supported type isfile.resourceNamethe file path under/opt/edgeware/acd/router/secrets; typically in the form ofsecret1.txt. The formaccount1/secret1.txtis also possible. (Absolute paths, with a leading/, are allowed, but risky since paths inside the Podman container can differ from host paths.)
Secret usage in the Director
Secrets are typically used by the built-in token verification and generation. It is also possible to access configured secrets from Lua, in order to implement any other custom verification algorithm.