Documentation

Secrets

Suggest Edits

What are secrets?

We should not store confidential information like API keys, secret keys for encryption, database passwords, etc., in plain text format in the application code or configuration files in a version control system.

Instead, use Truefoundry to securely store and control access to them. Truefoundry also helps you seamlessly mount these secrets as environment variables.

What are secret groups?

A secret group is a feature of Truefoundry that enables you to manage a set of secrets associated with a project. You can create a secret group and add secrets to it, such as API keys, secret keys for encryption, database passwords, and other confidential information that you need to keep secure.

This way you can group your secrets associated with a project.

One of the primary benefits of using a secret group is that it provides centralized management and control over the secrets associated with a project. You can easily add or remove secrets from a group, and you can grant access to the group to specific collaborators or teams.

By controlling access to secret groups, you can ensure that only authorized users can access sensitive information. You can manage access to secret groups by adding collaborators to your project and assigning them roles and permissions. This way, you can maintain granular control over who can access the secrets and what they can do with them

How to store secrets in Truefoundry?

To store secrets in Truefoundry, follow the steps below:

  1. Go to SecretsFoundry dashboard.

  2. Click on the Create Secret Group button

  1. Enter the Secret Group Name
  2. Enter the Secret key and Secret value associated with the Secret.

Note: Suppose your backend service needs to load a database password and an API key for an external service. You can create a secret group for that backend service and add the database password and the API key as secrets under that secret group.

  1. Click on create.
  2. Now you can click on your secret group name.
  3. Click on the Copy FQN button. We use the FQN to inject secrets in applications. The Secret FQN will always start with tfy-secret://.

Injecting Secrets as Environment Variables in application

import logging

from servicefoundry import Build, Service, DockerFileBuild

logging.basicConfig(level=logging.INFO)
service = Service(
    name="my-service",
    image=Build(build_spec=DockerFileBuild()),
    ports=[{"port": 8501}],
    env={
      "NODE_ENV": "prod",
      # The value of tfy-secret://user:my-secret-group:my-secret
      # will be mapped to the value of MY_SECRET environment variable.
      "MY_SECRET": "tfy-secret://user:my-secret-group:my-secret",
    },
)
service.deploy(workspace_fqn="YOUR_WORKSPACE_FQN")

# You can inject secrets as environment variables to services by adding them in the `servicefoundry.yaml` file. 

name: my-service
components:
  - name: my-service
    type: service
    image:
      type: build
      build_source:
        type: local
      build_spec:
        type: dockerfile
    ports:
     - port: 8501
    env:
      NODE_ENV: prod
      MY_SECRET: tfy-secret://user:my-secret-group:my-secret

After this, you can deploy your application by running servicefoundry deploy and the value of the secret will be available in your service environment against the environment variable MY_SECRET

Updated 5 months ago