Secrets stores

Server applications are often required to store secret data: Steam publisher keys, passwords, encryption keys and a lot more. To securely save this data, Stormancer provides the secrets store API.

The secrets store system is extensible, allowing Grid plugins to provide alternative implementations behind an unified simple API. By default, the grid includes an internal secrets store distributed across the cluster and protected by the key of each node.

Managing the secrets stores

The secrets stores in a Stormancer cluster can be managed using the Management CLI or directly the management Web API.

Web APIs

GET: _secrets/{accountId}

Gets a summary of all secrets stores in an account.

GET: _secrets/{accountId}/{secretStore}

Gets a secret store and a list of the key ids it contains.

PUT: _secrets/{accountId}/{secretStore}

Creates a secrets store using the parameters provided in the body:

{
    //Type of the secrets store. By default, only internal is supported, but plugins can add other options, for instance AWS or Azure key vaults.
    "type":"internal",

    //Optional parameters passed to the secrets store implementation. Internal doesn't require any parameter.
    "parameters":{}
}

DELETE: _secrets/{accountId}/{secretStore}

Deletes a secret store and all the stored secrets.

PUT: _secrets/{accountId}/{secretStore}/{keyId}

Sets the body of the request as the secrets associated with keyId in the secrets store.

DELETE: _secrets/{accountId}/{secretStore}/{keyId}

Deletes a secret from the secrets store.

CLI commands

To get help about the secrets stores commands, run:

>stormancer manage secrets --help

Using the secrets store in an applications

The dependency resolver of server applications provides the ISecretsStore interface to interact with the secrets store:

/// <summary>
/// Provides access to the grid secret store.
/// </summary>
public interface ISecretsStore
{
    /// <summary>
    /// Gets secrets associated with an usage for the application.
    /// </summary>
    /// <param name="secretPath">A path to a secret in the clusters' secrets stores. ({accountId}/{secretStoreId}/{secretId}</param>
    ///
    /// <returns></returns>
    Task<Secret> GetSecret(string secretPath);

    /// <summary>
    /// Sets a secret in a secrets store.
    /// </summary>
    /// <param name="secretPath">A path to the secret to set, in the form {accountId}/{secretStore}/{keyId}</param>
    /// <param name="value"></param>
    /// <returns></returns>
    Task<Secret> SetSecret(string secretPath, byte[] value);

}