Using the Secrets Store

The secrets store provides a secured variable storage (key-value pairs) for data that you do not want to expose in plain text in Cloudify blueprints, such as login credentials for a platform. The values of the secrets are encrypted in the database. We use the Fernet encryption of cryptography library, which is a symmetric encryption method that makes sure that the message encrypted cannot be manipulated/read without the key. When you create a secret, the key value can be a text string or it can be a file that contains the key value. The secret store lets you make sure all secrets (for example credentials to IaaS environments) are stored separately from blueprints, and that the secrets adhere to isolation requirements between different tenants. You can include the secret key in your blueprints and not include the actual values in the blueprints. For more information, see the get_secret intrinsic function.

Secrets with a hidden value

All the values of the secrets are encrypted in the database. When you create a secret you can specify if you want its value to be hidden or not. A secret with a hidden value means the value is only shown to the user who created it, tenant managers and sys-admins. Users can use the secret according to the user roles and the visibility of the secret.

Secrets from remote provider

Secret value can be provided by remote “Secrets Provider”, like Vault or another Cloudify Manager. If a provider is set up for a secret resource, and provider connection is available, then a secret value will be passed in decrypted form. More about Secrets Providers here.

Updating a secret

Updating a secret with a shown value

Updating a secret with a hidden value

Only the creator of the secret, a sys-admin or a tenant manager of the tenant the secret is stored on can see, update or delete the secret with a hidden value (unlike a secret with a shown value which other users in the tenant can also update or delete).

Creating a secret from the CLI

You can use the cfy secrets command to manage Cloudify secrets (key-value pairs).

$ cfy secrets create test -s test_value
...

Secret `test` created

...

For more commands, see secrets command line.

Creating local secret from the Cloudify Management Console

  1. Go to the Secrets page.
  2. Click Create in the Secret Store Management widget.
  3. Insert the following values:
    • The secret key
    • The secret value (or select the secret file from your file repository)
    • The visibility level (the icon of the green man)
    • If the value of the secret should be hidden
  4. Click Create.

Create Secret

Creating remotely provided secret from the Cloudify Management Console

  1. Go to the Secrets page.
  2. Click Create in the Secret Store Management widget.
  3. Insert the secret key
  4. Click on the checkbox “Retrieve the secret value from a secret provider” (you must have at least one secret provider defined in Cloudify to be able to use this option, see Secret Providers widget for details)
  5. Select the secret provider from the dropdown list
  6. Insert the secret’s path in selected secret provider
  7. Click Create.

Create Secret

Press on the eye icon for viewing the secret value.

Updating a secret from the Cloudify Management Console

To change the visibility level of the secret, click on the visibility icon in the key cell.

To hide the secret value, select the Hidden checkbox.

For updating the secret value there is an edit icon in the right and next to it the delete icon.

View Secret