Skip to content

Secrets

Managing secrets is critical for application security.

The following functions are secure and allow you to re-use secrets across different Makes components.

secretsForAwsFromEnv

Load AWS secrets from environment variables.

Types:

  • secretsForAwsFromEnv (attrsOf awsFromEnvType): Optional. Defaults to { }.
  • awsFromEnvType (submodule):
    • accessKeyId (str): Optional. Name of the environment variable that stores the value of the AWS Access Key Id. Defaults to "AWS_ACCESS_KEY_ID".
    • defaultRegion (str): Optional. Name of the environment variable that stores the value of the AWS Default Region. Defaults to "AWS_DEFAULT_REGION" (Which defaults to "us-east-1").
    • secretAccessKey (str): Optional. Name of the environment variable that stores the value of the AWS Secret Access Key. Defaults to "AWS_SECRET_ACCESS_KEY".
    • sessionToken (str): Optional. Name of the environment variable that stores the value of the AWS Session Token. Defaults to "AWS_SESSION_TOKEN" (Which defaults to "").

Always available outputs:

  • /secretsForAwsFromEnv/__default__:
    • accessKeyId: "AWS_ACCESS_KEY_ID";
    • defaultRegion: "AWS_DEFAULT_REGION";
    • secretAccessKey: "AWS_SECRET_ACCESS_KEY";
    • sessionToken: "AWS_SESSION_TOKEN";

Example:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
{
  outputs,
  lintTerraform,
  secretsForAwsFromEnv,
  ...
}: {
  secretsForAwsFromEnv = {
    makesDev = {
      accessKeyId = "ENV_VAR_FOR_MAKES_DEV_AWS_ACCESS_KEY_ID";
      secretAccessKey = "ENV_VAR_FOR_MAKES_DEV_AWS_SECRET_ACCESS_KEY";
    };
    makesProd = {
      accessKeyId = "ENV_VAR_FOR_MAKES_PROD_AWS_ACCESS_KEY_ID";
      secretAccessKey = "ENV_VAR_FOR_MAKES_PROD_AWS_SECRET_ACCESS_KEY";
    };
  };
  lintTerraform = {
    modules = {
      moduleDev = {
        setup = [
          outputs."/secretsForAwsFromEnv/makesDev"
        ];
        src = "/my/module1";
        version = "0.14";
      };
      moduleProd = {
        setup = [
          outputs."/secretsForAwsFromEnv/makesProd"
        ];
        src = "/my/module2";
        version = "0.14";
      };
    };
  };
}

secretsForAwsFromGitlab

Aquire an AWS session using GitLab CI OIDC.

Types:

  • secretsForAwsFromGitlab (attrsOf awsFromGitlabType): Optional. Defaults to { }.
  • awsFromGitlabType (submodule):
    • roleArn (str): ARN of AWS role to be assumed.
    • duration (ints.positive): Optional. Duration in seconds of the session. Defaults to 3600.
    • retries (ints.positive): Optional. Number of login retries before failing. One retry per second. Defaults to 15.

Example:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
{
  outputs,
  lintTerraform,
  secretsForAwsFromGitlab,
  ...
}: {
  secretsForAwsFromGitlab = {
    makesDev = {
      roleArn = "arn:aws:iam::123456789012:role/dev";
      duration = 3600;
      retries = 30;
    };
    makesProd = {
      roleArn = "arn:aws:iam::123456789012:role/prod";
      duration = 7200;
      retries = 30;
    };
  };
  lintTerraform = {
    modules = {
      moduleDev = {
        setup = [
          outputs."/secretsForAwsFromGitlab/makesDev"
        ];
        src = "/my/module1";
        version = "0.14";
      };
      moduleProd = {
        setup = [
          outputs."/secretsForAwsFromGitlab/makesProd"
        ];
        src = "/my/module2";
        version = "0.14";
      };
    };
  };
}

secretsForEnvFromSops

Export secrets from a Sops encrypted manifest to environment variables.

Types:

  • secretsForEnvFromSops (attrsOf secretForEnvFromSopsType): Optional. Defaults to { }.
  • secretForEnvFromSopsType (submodule):
    • manifest (str): Relative path to the encrypted Sops file.
    • vars (listOf str): Names of the values to export out of the manifest.

Example:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
{
  outputs,
  ...
}: {
  secretsForEnvFromSops = {
    cloudflare = {
      # Manifest contains inside:
      #   CLOUDFLARE_ACCOUNT_ID: ... ciphertext ...
      #   CLOUDFLARE_API_TOKEN: ... ciphertext ...
      manifest = "/infra/secrets/prod.yaml";
      vars = [ "CLOUDFLARE_ACCOUNT_ID" "CLOUDFLARE_API_TOKEN" ];
    };
  };
  lintTerraform = {
    modules = {
      moduleProd = {
        setup = [
          outputs."/secretsForEnvFromSops/cloudflare"
        ];
        src = "/my/module1";
        version = "0.14";
      };
    };
  };
}

secretsForGpgFromEnv

Load GPG public or private keys from environment variables into an ephemeral key-ring.

Each key content must be stored in a environment variable in ASCII Armor format.

Types:

  • secretsForGpgFromEnv (attrsOf (listOf str)): Optional. Mapping of name to a list of environment variable names where the GPG key contents are stored. Defaults to { }.

Example:

1
2
3
# /path/to/my/project/secrets.yaml
password: ENC[AES256_GCM,data:cLbgzNHgBN5drfsDAS+RTV5fL6I=,iv:2YHhHxKg+lbGqdB5nhhG2YemeKB6XWvthGfNNkVgytQ=,tag:cj/el3taq1w7UOp/JQSNwA==,type:str]
# ...

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
# /path/to/my/project/makes.nix
{
  outputs,
  ...
}: {
  # Load keys into an ephemeral GPG keyring
  secretsForGpgFromEnv = {
    example = [
      "ENV_VAR_FOR_PRIVATE_KEY_CONTENT"
      "ENV_VAR_FOR_PUB_KEY_CONTENT"
    ];
  };
  # Use sops to decrypt an encrypted file
  secretsForEnvFromSops = {
    example = {
      manifest = "/secrets.yaml";
      vars = [ "password" ];
    };
  };
}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
# /path/to/my/project/makes/example/main.nix
{
  makeScript,
  outputs,
  ...
}:
makeScript {
  name = "example";
  searchPaths.source = [
    # First setup an ephemeral GPG keyring
    outputs."/secretsForGpgFromEnv/example"
    # Now sops will decrypt secrets using the GPG keys in the ring
    outputs."/secretsForEnvFromSops/example"
  ];
  entrypoint = ''
    echo Decrypted password: $password
  '';
}

1
2
3
$ m . /example

  Decrypted password: 123

secretsForKubernetesConfigFromAws

Create a Kubernetes config file out of an AWS EKS cluster and set it up in the KUBECONFIG Environment Variable.

Types:

  • secretsForKubernetesConfigFromAws (attrsOf secretForKubernetesConfigFromAwsType): Optional. Defaults to { }.
  • secretForKubernetesConfigFromAwsType (submodule):
    • cluster (str): AWS EKS Cluster name.
    • region (str): AWS Region the EKS cluster is located in.

Example:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
{
  outputs,
  ...
}: {
  secretsForKubernetesConfigFromAws = {
    myCluster = {
      cluster = "makes-k8s";
      region = "us-east-1";
    };
  };
  deployTerraform = {
    modules = {
      moduleProd = {
        setup = [
          outputs."/secretsForKubernetesConfigFromAws/myCluster"
        ];
        src = "/my/module1";
        version = "0.14";
      };
    };
  };
}

secretsForTerraformFromEnv

Export secrets in a format suitable for Terraform from the given environment variables.

Types:

  • secretsForTerraformFromEnv (attrsOf (attrsOf str)): Optional. Mapping of secrets group name to a mapping of Terraform variable names to environment variable names. Defaults to { }.

Example:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
{
  outputs,
  ...
}: {
  secretsForTerraformFromEnv = {
    example = {
      # Equivalent in Bash to:
      #   export TF_VAR_cloudflareAccountId=$ENV_VAR_FOR_CLOUDFLARE_ACCOUNT_ID
      #   export TF_VAR_cloudflareApiToken=$ENV_VAR_FOR_CLOUDFLARE_API_TOKEN
      cloudflareAccountId = "ENV_VAR_FOR_CLOUDFLARE_ACCOUNT_ID";
      cloudflareApiToken = "ENV_VAR_FOR_CLOUDFLARE_API_TOKEN";
    };
  };
}

1
variable "cloudflareAccountId" {}