Skip to main content

Secrets

Secrets contain sensistive information such as passwords, API keys, tokens etc. Air Pipe supports different kinds of secrets and integrate with popular providers i.e. Hashicorp Vault.

You can also use our managed variables and encrypted secrets system if you would like to optionally host them on our backend.

Defining Secrets

To define a secret create a secrets block under global, the secrets section requires an identifier. For example special is used in all secret Air Pipe examples.

Secret options

A secret has a kind — one of local, vault, aws-kms, or command — plus the fields that kind needs: http for Vault; region / credential_file / config_file / data / file for AWS KMS; a ttl; and a format of raw, equal, or json. The full field list is in the Secret reference.

Usage

name: login-api
metrics_enabled: true
docs: true

global:
variables:
SOME_SECRET: MY_SECRET

databases:
main:
driver: postgres
conn_string: |
postgresql://a|env::POSTGRES_USER|:a|env::POSTGRES_PASS|@a|env::POSTGRES_HOST|?connect_timeout=10"

secrets:
special:
kind: vault
http:
url: http://127.0.0.1:8200/v1/secret/data/somePath/someSecret
headers:
X-Vault-Token: airpipe
format: json
accept_invalid_certs: true

Using Secrets

You can access a secret in a configuration file anywhere by following the below syntax.
a|secret::special::someName|

name: get-vault-secrets
metrics_enabled: true
docs: true

global:
secrets:
special:
kind: vault
http:
url: http://127.0.0.1:8200/v1/secret/data/somePath/someSecret
headers:
X-Vault-Token: airpipe
format: json
accept_invalid_certs: true

interfaces:
tests/get-vault-secrets:
summary: Get data from JSON API
description: Get JSON data and add secret from hashicorp vault to attributes
tags: ["secrets"]
output: http
method: GET

actions:
- name: Input
input: a|params|
assert:
tests:
- jq: .id
description: id of post
is_not_null: true

- name: LoginBody
http:
url: https://jsonplaceholder.typicode.com/todos/a|Input::id|

post_transforms:
- add_attribute:
hello: test - a|secret::special::someName|