Skip to main content
Version: 0.14.0 (stable)

secret

Fluvio cloud secrets are set via the CLI. Each secret is a named value with all secrets sharing a namespace per account. Connector configuration files can refer to secrets by name, and the cloud connector infrastructure will provision the connector with the named secrets.

Due to security concerns, listing actual secret values or downloading them after they have been set is not allowed. However, a listing of secret names as well as what date they were last set is accessible.

fluvio cloud secret subcommands

The secrets CLI is an added subcommand fluvio cloud as 'fluvio cloud secret'.

Actions possible with a fluvio cloud secret are:

  • set
  • delete
  • list
fluvio cloud secret set <NAME> <VALUE>
fluvio cloud secret list
fluvio cloud secret delete <NAME>

fluvio cloud secret set

Setting a secret of <NAME> will allow it to be referenced by that name in connector configuration parameters that can use secret references.

fluvio cloud secret set <NAME> <VALUE>

All secrets are in a shared connector namespace, but a specific connector is only given access to secrets named in the configuration file of the connector.

fluvio cloud secret list

fluvio cloud secret list will list only the secret names and their last update time. Once a secret has been set into fluvio cloud, it is stored so only referencing connectors may access the secret. There is no way to retrieve the secret value from fluvio cloud.

$ fluvio cloud secret list
SecretNames          LastUpdate
CAT_FACTS_CLIENT_ID  12-10-2022 1:07pm
CAT_FACTS_SECRET     01-02-2023 12:01am

fluvio cloud secret delete

This will delete the named secret.

fluvio cloud secret delete <NAME>

Connector config file references

The connector config files can reference cloud secrets by NAME. They need to be referenced on meta section of connector config. And then we can use the secret name in the connector configuration parameters. The secret can be used in the configuration as ${{ secrets.<NAME> }}.

apiVersion: 0.1.0
meta:
  version: x.y.z
  name: my-connector
  type: package-name
  topic: a-topic
  secrets:
    - name: CAT_FACTS_CLIENT_ID
    - name: CAT_FACTS_SECRET
# named section for custom config parameters, usually a short name like "http", or "mqtt"
<CUSTOM>:
  param_client_id: ${{ secrets.CAT_FACTS_CLIENT_ID }}
  param_client_secret: ${{ secrets.CAT_FACTS_SECRET }}

Example

An example of a connector that can use secret parameters, the http connector might be setup and configured as follows.

  1. Setup a secret
$ fluvio cloud secret set AUTH_HEADER "1234abcd"
  1. Write a connector config http-config-with-secret.yaml
$ cat << END_CONFIG > http-config-with-secret.yaml
apiVersion: 0.1.0
meta:
  version: x.y.z
  name: cat-facts
  type: http-source
  topic: cat-facts-secret
  secrets:
    - name: AUTH_HEADER
http:
  endpoint: "https://catfact.ninja/fact"
  interval: 10s
  headers:
    - "Authorization: bearer ${{ secrets.AUTH_HEADER }}"
END_CONFIG
  1. Run the connector
$ fluvio cloud connector --config http-config-with-secret.yaml

This same configuration file is compatible with both fluvio cloud connectors and cdk locally run connectors. The cloud connectors are provisioned via the fluvio cloud secret ... set of commands, while the cdk secrets are provided locally.

References