Injecting secrets into config files

Now, we’ll go a little further and inject secrets as fields in config files. Typical application configuration files contain at least a database username and password.

First, we’ll write those two new secrets to inject later on:

# Write database username
echo "example_db_user" | secrethub write $SH_USERNAME/testing/db_user
# Write a database password 
echo "example_password123" | secrethub write $SH_USERNAME/testing/db_password

Now, we’ll write a config file in which we’ll inject the secrets we’ve just written. We’ll call it config.json.tpl.

Injectable files must use the template syntax ${ <namespace>/<repo>/[<dir>/]<secret>[:<version>] } wherever they want to inject a secret. For a more extensive explanation, see the reference documentation for the inject command.

So, the config.json.tpl template file for our example web app should look something like this:

{
    "db_host": "127.0.0.1",
    "db_user": "${ <insert_username_here>/testing/db_user:latest }",
    "db_password": "${ <insert_username_here>/testing/db_password:latest }"
}

On Linux/macOS, we can run the code below to create the config.json.tpl template file for us:

# on Linux/macOS
cat << EOF > config.json.tpl
{
    "db_host": "127.0.0.1",
    "db_user": "\${ ${SH_USERNAME}/testing/db_user:latest }",
    "db_password": "\${ ${SH_USERNAME}/testing/db_password:latest }"
}
EOF

On Windows, we can run the code below to create the config.json.tpl template file for us:

# on Windows
'{
    "db_host": "127.0.0.1",
    "db_user": "${ '+$SH_USERNAME+'/testing/db_user:latest }",
    "db_password": "${ '+$SH_USERNAME+'/testing/db_password:latest }"
}' > config.json.tpl

As we can see, our username has been replaced nicely and the db_user and db_password contain the ${...} template syntax. Before we can inject the secrets, we must tell our secrets.yml file to inject secrets in the config.json.tpl file. To do that, we’ll create a secrets.yml file that looks like this:

secrets:
    # inject indicates we want to inject secrets into another file
    - inject:
        # source is the file with the template ${...} syntax
        source: "config.json.tpl"
        # target is the file to write the injected result to
        target: "config.json"
        # filemode sets the file permissions
        filemode: "0660"

On Linux/macOS, we can run the code below to generate the secrets.yml file for us:

# on Linux/macOS
cat << EOF > secrets.yml
secrets:
    - inject:
        source: "config.json.tpl"
        target: "config.json"
        filemode: "0660"
EOF

For Windows, we can run the code below to generate the secrets.yml file for us:

# on Windows
'secrets:
    - inject:
        source: "config.json.tpl"
        target: "config.json"
        filemode: "0660"
' > secrets.yml

Now, with the config.json.tpl and secrets.yml files placed in our current directory, we can run the secrethub set command to inject the secrets as we defined:

secrethub set

As we can see, the config.json file has been written and it contains the db_user and db_password secrets:

cat config.json

To clean up, we run the secrethub clear command again.

secrethub clear

The config.json file should have been removed now and all that remains on the system are our config.json.tpl and secrets.yml files.

That’s it! We’ve successfully written and injected secrets to a system. Now let’s move on to providing secrets as environment variables to a process.