How to define secrets for your application¶
1. About¶
You can set any properties of a service component as secrets. This is useful in case you do not want to expose sensitive data as plain text (e.g., a database password) in the topology description.
2. How to use¶
Step 1. Set a property as secret¶
Open the properties menu of any components (e.g., the
root_passwordproperty of theMySQLServercomponent).Select Set as secret.
Save the application.
Figure 1. Set the root_password property as secret¶
Step 2. Input the secret value¶
Select the Setting tab.
The
root_passwordsecret was created in Step 1 but has no value. Select it.Input the value (e.g.,
Test1234).
Figure 2. Create the root_password secret¶
Important
Only users from Open Telekom Cloud with the Tenant Administrator role in the same project has the permission to view and edit the secret value.
3. Expected result¶
The topology description shows the root_password property gets an input from the get_secret function:
Figure 3. Topology shows get_secret¶
When the application is deployed, the root_password property will be resolved with the secret value Test1234.
3. How secure is my secrets¶
In step 2, the designer uses the authentication token of the user to encrypt the secret. During the deployment, the orchestration engine uses the user authentication token to decrypt the secret.
It means, the system works on behalf of the user to encrypt and decrypt a given secret. Without the authentication token from a user with the
Tenant Administratorrole in the same project, the system itself cannot decrypt the secrets. Therefore, our secret management system has a higher security in comparison to just encrypt the data with a symmetric key.