go run .
Show to to use secret manager to pass credentials to application using https://gocloud.dev this provides better security and simplifies deployment of an app.
Secrets are defined as string keys in arguments and specify path how to access secret data in google secret manager or aws secret manager. We use key param secret-key which specify what should we as location for secret.
PostgresURLKey holds secret key like gcp.io/secret-manager/project/secret/version
PostgresURL - holds actual value which can be populated from different sources like env or from secret-key.
type Args struct {
// key where secret is stored
PostgresURLKey string env:"POSTGRES_URL_KEY" long:"postgres-url-key" default:"postgres-url"
// actual url for current service
// we can keep it empty and it will be inferred from
// postgres-url secret manager
// or you can provide it from env or arguments and pass secret value directly.
PostgresURL string env:"POSTGRES_URL" long:"postgres-url" secret-key:"PostgresURLKey" optional:"true"
}
According to clean architecture you might have several layers of your app , We consider secrets and configuration to be the outer layer of your app (framework and devices)
Outer layer of our app is main function, that's why we put secrets parsing there.
secrets definitions come from Args struct that serves several purposes
- it defines struct that we use during app setup
- it generates help for our cli
- it defines mapping for env variables to struct keys
- it defines mapping for secret storage to our struct keys
- we use args struct in test in order to pass parameters for local testing.
type Args struct {
// key where secret is stored
PostgresURLKey string `env:"POSTGRES_URL_KEY" long:"postgres-url-key" default:"postgres-url"`
// actual url for current service
// we can keep it empty and it will be inferred from
// postgres-url secret manager
// or you can provide it from env or arguments and pass secret value directly.
PostgresURL string `env:"POSTGRES_URL" long:"postgres-url" secret-key:"PostgresURLKey" optional:"true"`
}
`SECRET_BASE_URL` - helps to simplify definition of url keys, instead of --postgres-url-key=`gcpsecretmanager://projects/es-scalability-test/secrets/my-key`
you can specify just --postgres-url-key=mykey but it's totally optional and you can pass full url of any of they keys.
here some example, you might even pass keys from different storages
--postgres-url-key=gcpsecretmanager://projects/es-scalability-test/secrets/my-key
--dynamo-db-url-key=awssecretsmanager://secret-variable-name?region=us-east-2&decoder=string
--my-meta-file=blob://myvar.txt?decoder=string, along with BLOBVAR_BUCKET_URL it will allow you to read data into argument from any bucket
this way you can pass local parameter
--my-arg-key=constant://?val=hello+world&decoder=string
or this way which also will work.
--my-arg=hello-wrold