Skip to main content

Secrets

Secrets contain sensistive information such as passwords, API keys, tokens etc. Air Pipe supports different kinds of secrets and integrate with popular providers i.e. Hashicorp Vault.

You can also use our managed variables and encrypted secrets system if you would like to optionally host them on our backend.

Defining Secrets

To define a secret create a secrets block under global, the secrets section requires an identifier. For example special is used in all secret Air Pipe examples.

Secret Options

NameTypeDescription
kindstringtype of secret store i.e. Vault, local, AwsKms, Command
httparraySee HTTP Documentation for more details
ttlstringtime to live for the secret
regionstringaws kms region
credential_filestringaws credential
config_filestringaws config file
datastringBase64 encoded kms string to decrypt
filestringPath to file containing b64 encoded kms string to decrypt
formatstringsecret format i.e. Ray, Equal, Json

Usage

name: login-api
metrics_enabled: true
docs: true

global:
  variables:
    SOME_SECRET: MY_SECRET

    databases:
      main:
        driver: postgres
        conn_string: |
          postgresql://a|env::POSTGRES_USER|:a|env::POSTGRES_PASS|@a|env::POSTGRES_HOST|?connect_timeout=10"

    secrets:
      special:
        kind: vault
        http:
          url: http://127.0.0.1:8200/v1/secret/data/somePath/someSecret
          headers:
            X-Vault-Token: airpipe
          format: json
          accept_invalid_certs: true

Using Secrets

You can access a secret in a configuration file anywhere by following the below syntax.
a|secret::special::someName|

name: get-vault-secrets
metrics_enabled: true
docs: true

global:
  secrets:
    special:
      kind: vault
      http:
        url: http://127.0.0.1:8200/v1/secret/data/somePath/someSecret
        headers:
          X-Vault-Token: airpipe
        format: json
        accept_invalid_certs: true

interfaces:
  tests/get-vault-secrets:
    summary: Get data from JSON API
    description: Get JSON data and add secret from hashicorp vault to attributes
    tags: ["secrets"]
    output: http
    method: GET

    actions:
      - name: Input
        input: a|params
        assert:
          tests:
            - jq: .id
              description: id of post
              is_not_null: true

      - name: LoginBody
        http:
          url: https://jsonplaceholder.typicode.com/todos/a|Input::id|

        post_transforms:
          - add_attribute:
              hello: test - a|secret::special::someName|