Skip to content

Secrets

Enola manages “secrets” (e.g. API keys, other tokens, passwords, etc.) by delegating to an external secret manager. The following ones are currently supported:

  1. pass: We recommend using this with GPG on a YubiKey that requires “touch” to decrypt secrets.
  2. Insecure unencrypted plain text (YAML) file ๐Ÿ˜ญ

Support for other secret managers may be added in the future. Please open an issue if you need a specific one; like:

Which one is used is currently automatically determined. This may be made more configurable in the future.

We will not read “secrets” from environment variables, as this is not secure.

Tests

Because Bazel changes $HOME, the integration tests running under Bazel (BAZEL_TEST) will read secrets from the file to which the ENOLA.DEV_AZKABAN environment variable points. If it’s not set, then no secrets are available. We test for the presence of secrets, and skip tests if the required is not available. Launch such integration tests like this, as the test.bash script also does:

bazelisk test --test_env=ENOLA.DEV_AZKABAN="$HOME/keys.yaml" //java/dev/enola/common/secret/auto:tests

To run integration tests in an IDE, add this environment variable in the Bazel Test launch config.