Secrets and Configuration
The IDP, Dashboard and PIVCAC apps download their
when we activate/deploy an instance (see
activate.rb). Since apps only download new values
during instance activation a recycle is necessary before apps can use
We store these
application.yml files in S3, and each environment (
has its own separate file, so secrets and configs need to be explicitly copied
across environments, they are not implicitly shared.
The S3 buckets that contain secrets are versioned, so we can recover old versions if needed.
At the end of the day, since these are just files in S3, you can use whatever workflow you want to download, edit, and write them. Make sure you clean up files on your local machine when done.
The easiest way to edit secrets is the
app-s3-secret command in the
These examples are for the IDP app in the
sandbox AWS account and the
cd identity-devops aws-vault exec sandbox-power -- \ ./bin/app-s3-secret --app idp --env dev
grep for the keys you want to check
cd identity-devops aws-vault exec sandbox-power -- \ ./bin/app-s3-secret --app idp --env dev | grep foo some_foo_key: 'true'
- Download the secrets to a tempfile
- Open your
$EDITOR(defaults to vim) to edit that copy
- Show you a diff of the preview before uploading
- Clean up the tempfile after
cd identity-devops aws-vault exec sandbox-power -- \ ./bin/app-s3-secret --app idp --env dev --edit # # opens vim # app-s3-secret: Here's a preview of your changes: 2a3 > foobar: 'true' app-s3-secret: Upload changes to S3? (y/n) y
After updating, recycle the app so it creates new instances that will download this updated config.
cd identity-devops aws-vault exec sandbox-power -- \ ./bin/asg-recycle dev idp
Configuration in Rails Apps
To use a value in the
application.yml in our Rails apps, follow these steps. The IDP, PKI,
and Dashboard apps all use this approach, with files named the same way.
Declare the feature flag in
config.add(:my_feature_flag, type: :boolean)
Configure a default value in
config/application.yml.defaultat the top level of the file. If there is no value specified in S3 for this config, this default value will be used in production.
To use the value in code, access it via as a property of