I’ve recently been working with secrets.yml files that point to different secrets for different environments, and I wanted to share what I’ve learned!
If usually my call to run my app is run-my-app, I knew that I could write my secrets.yml and wrap the call to run my app with a call to Summon in order to inject the secret values into the app’s environment at runtime.
But what if I have different secrets for dev and prod?
I can use environments in my secrets.yml!
dev: DB_PASSWORD: !var dev/my-app/db-password prod: DB_PASSWORD: !var prod/my-app/db-password
Then my command becomes summon -e dev run-my-app or summon -e prod run-my-app, depending on which environment I want to use.
But there’s more! What if there are some secrets that are common across dev and prod? Then I can add a common environment to my secrets.yml:
common: AWS_ACCESS_KEY_ID: !var aws/access-key-id AWS_SECRET_ACCESS_KEY: !var aws/secret-access-key dev: DB_PASSWORD: !var dev/my-app/db-password prod: DB_PASSWORD: !var prod/my-app/db-password
Then when I run either summon -e dev run-my-app or summon -e prod run-my-app it automatically also loads the variables listed in the common section (this section could also be named default). That is, my app will have access to both the DB_PASSWORD from the proper environment AND the AWS credentials that are common to all environments.
Pretty cool.
For more info on this and other Summon features, check out the project README in GitHub.
Geri Jennings, PhD is an Engineering Manager on the Conjur team. She enjoys learning new things, and usually comes out with a blog post when there’s an idea she can’t shake. Follow her on twitter at @izgerij.