Secrets
Secrets contain sensistive information such as passwords, API keys, tokens etc. Air Pipe supports different kinds of secrets and integrate with popular providers i.e. Hashicorp Vault.
You can also use our managed variables and encrypted secrets system if you would like to optionally host them on our backend.
Defining Secrets
To define a secret create a secrets block under global, the secrets section requires an identifier.
For example special is used in all secret Air Pipe examples.
Secret options
A secret has a kind — one of local, vault, aws-kms, or command — plus
the fields that kind needs: http for Vault; region / credential_file /
config_file / data / file for AWS KMS; a ttl; and a format of raw,
equal, or json. The full field list is in the
Secret reference.
Usage
name: login-api
metrics_enabled: true
docs: true
global:
variables:
SOME_SECRET: MY_SECRET
databases:
main:
driver: postgres
conn_string: |
postgresql://a|env::POSTGRES_USER|:a|env::POSTGRES_PASS|@a|env::POSTGRES_HOST|?connect_timeout=10"
secrets:
special:
kind: vault
http:
url: http://127.0.0.1:8200/v1/secret/data/somePath/someSecret
headers:
X-Vault-Token: airpipe
format: json
accept_invalid_certs: true
Using Secrets
You can access a secret in a configuration file anywhere by following the below syntax.
a|secret::special::someName|
name: get-vault-secrets
metrics_enabled: true
docs: true
global:
secrets:
special:
kind: vault
http:
url: http://127.0.0.1:8200/v1/secret/data/somePath/someSecret
headers:
X-Vault-Token: airpipe
format: json
accept_invalid_certs: true
interfaces:
tests/get-vault-secrets:
summary: Get data from JSON API
description: Get JSON data and add secret from hashicorp vault to attributes
tags: ["secrets"]
output: http
method: GET
actions:
- name: Input
input: a|params|
assert:
tests:
- jq: .id
description: id of post
is_not_null: true
- name: LoginBody
http:
url: https://jsonplaceholder.typicode.com/todos/a|Input::id|
post_transforms:
- add_attribute:
hello: test - a|secret::special::someName|