Secrets & variables
Manage secrets and variables across services, environments, and projects, secure storage with per-environment overrides.
Concept
When developing services, it's often necessary to provide information that changes depending on the environment. This information can't be hardcoded and includes:
- Feature Flags: Change the behaviour of the service from one environment to another.
- Secrets and Variables: External keys and secrets needed to interact with services like OpenAI.
- URLs and Passwords: Credentials and URLs for dependencies like PostgreSQL databases.
Common Challenges
Currently, organisations use various methods to handle these configurations:
- Creating environment variables for some settings.
- Storing secrets in secret stores.
- Maintaining environment-specific configuration files.
These approaches can lead to security risks and human errors, such as:
- Accidentally exposing passwords while adding them to a secret store.
- Inputting incorrect URLs or credentials.
Our Solution
We address these challenges by modelling all configurations using environment variables. Here's how it works:
- Project-Level Secrets and Variables: Define secrets and variables at the project level that can be referenced by multiple resources using different key names.
- Resource Variables: Create environment variables for individual resources, such as feature flags.
- Direct Connections: Directly connect to databases or other resources and automatically wire values like URLs, usernames, and passwords.
Our platform injects these variables at runtime, determining their values for each environment. Users can provide default values for project-level secrets and variables or resource variables which can be overridden at the environment level. This approach centralises the management of common variables, making it easier and more secure.
Using Environment Variables in Code
Here are examples of how to use these environment variables in Node.js, and Python applications.
Node.js
const myEnvVariable = process.env.MY_ENV_VARIABLE;
console.log(`Environment Variable: ${myEnvVariable}`);Python
import os
my_env_variable = os.getenv('MY_ENV_VARIABLE')
print(f'Environment Variable: {my_env_variable}')By following these practices and using Facets.cloud, you can efficiently manage environment-specific configurations, reduce security risks, and minimize human errors.
Project-Level Secrets & Variables
Define secrets and variables once at the project level as a single source of truth, auto-inject them across resources, and override values per environment.
Environment-Level Management
View and manage secrets and variables across all environments from one interface, comparing values and spotting default versus custom overrides at a glance.
Resource Variables
Define resource-specific variables at the blueprint level as defaults, then override them per environment with a clear hierarchy of inherited and custom values.
Resource Connections
Connect resources in Facets using dollar referencing to wire one resource's properties into another, keeping dependencies consistent across all environments.
Secrets Backend Integration
Store secrets in AWS Secrets Manager, Google Cloud Secret Manager, or Vault-compatible OpenBao, with the backend set by your environment's cluster config.
Dependent envs use cases
Use cases for dependent environments in Facets: feature and non-prod environments within a project, and shared non-prod infrastructure across projects.
Project-Level Secrets & Variables
Define secrets and variables once at the project level as a single source of truth, auto-inject them across resources, and override values per environment.