Defining secrets as code

Now that we know how to write secrets and read them manually, we’ll see how applications can read secrets in a way they already ‘know’. The three most common ways that applications consume secrets are:

  • As a file.
  • As a field in a configuration file.
  • As an environment variable.

Depending on the type of application we’re running, it will most likely consume secrets through one or more of those three methods.

To be able to present secrets on a system in such a way that an application can read them, we will write a machine-readable definition file. The secrethub CLI uses a definition file called secrets.yml to determine which secrets need to be presented on a system and how.

Now, let’s see how this works and write a secret to a file.