From dbd49531bd59dc20bb02dd10b388aa107ff7bcbb Mon Sep 17 00:00:00 2001 From: Ajay Kidave Date: Sun, 2 Feb 2025 13:19:46 -0800 Subject: [PATCH] Added plugin level secrets config --- content/docs/Configuration/Secrets.md | 30 +++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/content/docs/Configuration/Secrets.md b/content/docs/Configuration/Secrets.md index 4c6f78f..69659e7 100644 --- a/content/docs/Configuration/Secrets.md +++ b/content/docs/Configuration/Secrets.md @@ -85,6 +85,21 @@ secret = '{{secret "PROVIDER_NAME" "GOOGLE_OAUTH_SECRET"}}' hosted_domain = "example.com" ``` +## Plugin Access to Secrets + +For secrets which are passed to plugins, through app params or plugin arguments, the plugin needs to be authorized to access the secret. The permissions for each plugin are defined in the app definition. For example: + +```python {filename="app.star"} +app = ace.app("test", + routes = [ace.api("/", type="TEXT")], + permissions = [ + ace.permission("exec.in", "run", ["ls"], secrets=[["c1", "c2"], ["TESTENV"]]), + ] + ) +``` + +The secrets accessible are specified as a list of list of strings. In this case, the `{{secret "PROVIDER_NAME" "c1" "c2"}}` and `{{secret "PROVIDER_NAME" "TESTENV"}}` calls are allowed. Additional keys are also permitted. + ## Multiple Keys If the `KEY_NAME` is a single string, it is passed as is to the provider. If multiple keys are specified, they are concatenated and passed to the provider. For example, `{{secret "env" "ABC" "DEF"}}` will get converted to a env lookup for `ABC_DEF`. The delimiter used depends on the provider. The defaults are: @@ -102,3 +117,18 @@ keys_printf = "%s-%s.%s" ``` combines `{{secret "prop" "ABC" "DEF" "XYZ"}}` as `ABC-DEF.XYZ`. This allows the app to work with multiple secret providers without requiring code changes in the app. + +## Default Provider + +If the provider name is passed as `default` or set to empty, a default provider is used. The default provider can be configured in the `clace.toml` as + +```toml {filename="clace.toml"} +[app_config] +security.default_secrets_provider = "env" +``` + +The `env` provider is used by default if it is enabled in the config. The default can be changed per app by setting + +```sh +clace app update-metadata conf --promote 'security.default_secrets_provider="prop_myfile"' /myapp +```