Secret Management

The purpose of this plugin is to prevent exposing sensitive data at the interface level. A secret contains a:

  • name: the name will be exposed in the interface to refer to the value without exposing it.

  • value: the value that we don’t want to expose in the interface.

  • description: content to identify what contains the secret, it supports Markdown formatting. All these parameters are mandatory, they cannot be empty.

The value will not be displayed again in the interface after the creation, make sure to provide a precise description of the secret variable to be able to identify it.

The value of the secret may still appear in agent logs, which are visible in the interface in:

  • the compliance details

  • the technical logs of the agent.

The secrets are stored as clear text in the file located at /var/rudder/configuration-repository/secrets/secrets.json on the server. The value is only hidden in the interface.

How to use

  1. Create a secret variable

create secret
secret interface

When a secret is edited, only non-empty fields are modified.

Once a secret is created, you will not be able to modify its name from the interface.

edit secret
edit secret
  1. In a node property use the format ${data.secret[secret_name]} or ${rudder-data.secret[secret_name]} in a JSON

Secrets can be used in directives and properties. However, they cannot be used directly in the Technique Editor; if you need to use your secrets inside a technique, you’ll need to add a technique parameter and set the secret in the associated directive.

  1. The value will be interpolated by the real value of secret_name create earlier in the plugin interface

← Scale out relay servers System updates →