Writing secrets to files

A typical file that applications need to read is a TLS key. However, to keep it simple, we’re going to use the hello secret and set it as a file.

First, we’ll write a secrets.yml file in our current directory. Note that this file does not contain any sensitive information, so we can check it into version control. To set a secret as a file, we put the following lines of YAML inside a secrets.yml file. Note that the filemode is optional and defaults to 0400.

# All secrets.yml files start with `secrets:`
secrets:
    # file indicates we want to write a secret as a file
    - file:
        # source is the path of the secret inside SecretHub
        source: <insert_username_here>/testing/hello
        # target is the path of the file we want to write to
        target: hello_world.txt
        # filemode sets the file permissions (default "0400")
        filemode: "0660"

Please note that it is only possible to use secrets as source. Mapping whole directories is not yet supported.

For Linux/macOS, we can copy and paste the code below in the terminal to write the desired YAML to a secrets.yml file in our current directory:

# on Linux/macOS
cat << EOF > secrets.yml
secrets:
    - file:
        source: ${SH_USERNAME}/testing/hello:latest
        target: hello_world.txt
EOF

For Windows, we can copy and paste the code below in PowerShell to write the desired YAML to a secrets.yml file in our current directory:

#on Windows
'secrets:
    - file:
        source: '+$SH_USERNAME+'/testing/hello:latest
        target: hello_world.txt
' > secrets.yml

When inspecting the secrets.yml file, we see our username was nicely replaced. Now, all that remains is for us to run the secrethub set command. This will parse the secrets.yml file and present the hello secret how we defined it.

secrethub set

As we can see, the hello secret has been written to the hello_world.txt file:

cat hello_world.txt

To clean up, we run the secrethub clear command. This clears the system from any set secrets.

secrethub clear

The hello_world.txt file should have been removed now and all that remains on the system is our secrets.yml file. That’s it, we’ve just codified how to present secrets as files so that applications can read it in. Let’s inject some secrets in a config file next.