Mixing providers in a profile

[domenkozar]

I'd like to hear more workflows when this is needed.

Sometimes it's not possible to store all secets into one provider.

We could tell a secret it comes from a specific provider:

[project]
name = "myapp"
revision = "1.0"

[secrets.default]
MYSECRET1 = { provider = "onepassword://...", ... }
MYSECRET2 = { ... }

What I don't like about that:

• we're encoding providers into profiles
• now secretspec.toml can't be public anymore if provider has sensitive values in there

Alternative is using names to map to providers:

[project]
name = "myapp"
revision = "1.0"

[secrets.default]
API_KEY = { providers = ["shared"] }
DATABASE_URL = { providers = ["local"] }

[domenkozar]

One use case is using PostgreSQL in devenv:

{ config, ... }: {
  services.postgresql.enable = true;

  env.DATABASE_URL = config.env.PGHOST;
}

which will export $PGHOST with the path to the unix socket.

Ideally, we'd be able to say:

[project]
name = "myapp"
revision = "1.0"

...

[secrets.development]
DATABASE_URL = { providers = ["env"] }

[jbdutton]

I'd like to hear more workflows when this is needed.

One use-case that feels related: I'd like to default to the device's keychain in my local environment, but with the ability to fallback to / seed the keychain from another provider. The goal being, if I've already copied secrets into my keychain, I can work offline without any issues (up to a point). This would differ from the existing secretspec import behavior, in that you'd want to override existing secrets if they're out of date -- but I'm not exactly sure what that would look like.

[sagikazarmark]

Additional use cases:

GitHub token:

[secrets.development]
GITHUB_TOKEN = { providers = ["gh"] }

[secrets.production]
GITHUB_TOKEN = { providers = ["vault"] }

AWS token:

[secrets.development]
AWS_ACCESS_KEY = { providers = ["aws-vault"] }
AWS_SECRET_ACCESS_KEY = { providers = ["aws-vault"] }

[secrets.production]
AWS_ACCESS_KEY = { providers = ["aws"] }
AWS_SECRET_ACCESS_KEY = { providers = ["aws"] }

[domenkozar]

See #43 for how it would work