How to define secrets for your application¶
1. About¶
You can set any properties of a service component as secrets. This is useful in case you do not want to expose sensitive data as plain text (e.g., a database password) in the topology description.
2. How to use¶
Step 1. Set a property as secret¶
Open the properties menu of any components (e.g., the
root_password
property of theMySQLServer
component).Select Set as secret.
Save the application.
Step 2. Input the secret value¶
Select the Setting tab.
The
root_password
secret was created in Step 1 but has no value. Select it.Input the value (e.g.,
Test1234
).
Important
Only users from Open Telekom Cloud with the Tenant Administrator
role in the same project has the permission to view and edit the secret value.
3. Expected result¶
The topology description shows the root_password
property gets an input from the get_secret
function:
When the application is deployed, the root_password
property will be resolved with the secret value Test1234
.
3. How secure is my secrets¶
In step 2, the designer uses the authentication token of the user to encrypt the secret. During the deployment, the orchestration engine uses the user authentication token to decrypt the secret.
It means, the system works on behalf of the user to encrypt and decrypt a given secret. Without the authentication token from a user with the
Tenant Administrator
role in the same project, the system itself cannot decrypt the secrets. Therefore, our secret management system has a higher security in comparison to just encrypt the data with a symmetric key.