You can inject secret information stored in IAG's secret store into your service as an environment variable during execution. Examples of secret information you may want to inject include passwords, API tokens, and AWS credentials.
To inject secret information into your service, you must use IAG 5.2 or later.
Although using environment variables to set secret information is common practice, consider the security risks that can occur when environment variables contain secret information.
Prerequisites: You must have IAG's secret store configured with an encryption key. If you haven't configured the secret store yet, see Configure IAG secret store.
Associate secrets on service creation
You can associate secrets stored in IAG's secret store with a service when you create it using the --secret flag within any of the iagctl create service commands.
The --secret flag uses the following syntax:
--secret name=name-of-secret-in-secret-store,type=env,target=ENV_VAR_NAME
The syntax has three sections separated by commas:
- name - The name of the secret in the secret store
- type - How the secret will be injected into the service (must be set to
env, as only environment variables are supported) - target - The name of the environment variable that will be set during execution
The following example creates a Python Script service called my-script. The service uses an API key stored in IAG's secret store called my-api-key. The value of my-api-key will be injected into the script at execution time using an environment variable called API_KEY:
iagctl create service python-script my-script \
--secret name=my-api-key,type=env,target=API_KEY \
--repository my-repo \
--filename main.py
This ensures that the API key is injected into the service during every execution.
Associate secrets on service execution
To specify that a secret should be injected into a service when running a service via the CLI, you can use the --set-secret flag available on the iagctl run service commands or specify that a secret is being used on a decorator.
Use the --set-secret flag
The --set-secret flag uses the same syntax as the flag used at service creation time.
The following example specifies that a secret stored in IAG's secret store called my-password should be injected as an environment variable called PASSWORD:
iagctl run service python-script some-script \
--set-secret name=my-password,type=env,target=PASSWORD
Specify secrets on decorators
You can specify that a secret should be injected into a service when run using the custom annotations x-itential-secret-type and x-itential-secret-target. A decorator that requests the name of a secret in the secret store with a value of a password would look like this:
{
"$id": "root",
"$schema": "https://json-schema.org/draft/2020-12/schema",
"type": "object",
"properties": {
"password": {
"type": "string",
"x-itential-secret-type": "env",
"x-itential-secret-target": "PASSWORD"
}
},
"required": [
"password"
],
"additionalProperties": false
}
The value given for password will be the name of the secret in IAG's secret store. x-itential-secret-type must be set to env, as it denotes that the password will be injected into the service as an environment variable when executed. Environment variables are currently the only secret type available. x-itential-secret-target denotes the name of the environment variable to be injected when the service is executed.
Since the name of a secret in IAG's secret store is always a string, secret properties for IAG decorators must always be of type string.
After you have a secret set on a decorator, you can specify the name of the secret in the secret store using the --set flag as you normally would for decorator values.
If you have a Python script that uses the decorator above, and you have a password in the secret store called my-password, you would use this syntax:
iagctl run service python-script my-script --set password=my-password
The system injects the value of the secret my-password into the Python script as an environment variable with a key of PASSWORD. Services that have decorators with injected secret values can then be executed through the runService Gateway Manager task.
Figure 1: Example runService task configuration panel with password input parameter
