Secrets and Configuration

Overview

The IDP, Dashboard and PIVCAC apps download their application.yml when we activate/deploy an instance (see deploy/activate and the activate.rb). Since apps only download new values during instance activation a recycle is necessary before apps can use updated configs.

We store these application.yml files in S3, and each environment (int, dev) has its own separate file, so secrets and configs need to be explicitly copied across environments, they are not implicitly shared.

The S3 buckets that contain secrets are versioned, so we can recover old versions if needed.

At the end of the day, since these are just files in S3, you can use whatever workflow you want to download, edit, and write them. Make sure you clean up files on your local machine when done.

Using app-s3-secret

The easiest way to edit secrets is the app-s3-secret command in the identity-devops repo.

These examples are for the IDP app in the sandbox AWS account and the dev environment:

Viewing Secrets

cd identity-devops
aws-vault exec sandbox-power -- \
  ./bin/app-s3-secret --app idp --env dev

Recommended: grep for the keys you want to check

cd identity-devops
aws-vault exec sandbox-power -- \
  ./bin/app-s3-secret --app idp --env dev | grep foo
some_foo_key: 'true'

Editing Secrets

The adding --edit will

  • Download the secrets to a tempfile
  • Open your $EDITOR (defaults to vim) to edit that copy
  • Show you a diff of the preview before uploading
  • Clean up the tempfile after
cd identity-devops
aws-vault exec sandbox-power -- \
  ./bin/app-s3-secret --app idp --env dev --edit
#
# opens vim
#
app-s3-secret: Here's a preview of your changes:
2a3
>   foobar: 'true'
app-s3-secret: Upload changes to S3? (y/n)
y

After updating, recycle the app so it creates new instances that will download this updated config.

cd identity-devops
aws-vault exec sandbox-power -- \
  ./bin/asg-recycle dev idp

Configuration in Rails Apps

To use a value in the application.yml in our Rails apps, follow these steps. The IDP, PKI, and Dashboard apps all use this approach, with files named the same way.

  1. Declare the feature flag in lib/identity_config.rb’s #build_store method.

    Example:

    config.add(:my_feature_flag, type: :boolean)
    

    View in IDP repo, PKI repo, Dashboard repo

  2. Configure a default value in config/application.yml.default at the top level of the file. If there is no value specified in S3 for this config, this default value will be used in production.

    Example:

    my_feature_flag: 'true'
    

    View in IDP repo, PKI repo, Dashboard repo

  3. To use the value in code, access it via as a property of IdentityConfig.store

    Example:

    IdentityConfig.store.my_feature_flag