Secrets

Secrets are a storage mechanism for sensitive values. When integrating with external systems you'll often use an API key or token for authentication. These values should be stored as secrets.

The use of secrets is restricted to help protect the values from being exposed. Secrets are only available server-side and are not available in the Appfarm Client. Secrets can be used within services, as well as the Web Request action node in apps (provided Send from Client is not selected).

A secret can have the same value across all environments, or environment-specific values can be set. Setting environment-specific values is particularly useful when you have different API keys for integrating towards a test and production environment.

Important

Changes to secrets have immediate effect and do not require a deploy. To prevent accidental changes you should lock your secrets.

Properties

PropertyDescription

Name

This is the reference used when accessing secrets elsewhere in Appfarm Create.

Environment Specific

Store different secret values per environment. Selecting this property will remove the Value property and add new properties to store the values for Development, Test, Staging, and Production.

Secret Type

The data type of the secret. Can be one of the following:

  • String

  • OAuth 2 value

Secrets can hold both constant string values, which is the default, as well as representing a reference to values obtained through third-party Oauth Providers.

The latter allows Web Requests to third-party services to be done on behalf of the logged-on user by using access tokens obtained through an Oauth Provider. In other words, such secrets are personal and stored per user.

Value

For Secret Type String only. The value to be used for this secret, for example, the API key or token you wish to store.

If Environment Specific is selected, this property will be replaced with properties for Development, Test, Staging, and Production.

Oauth Value

For Secret Type OAuth 2 value only. You may select which value (retrieved from the Oauth 2 response on login) this secret definition represents.

Use ID Token Claim for Custom Claim. A new setting appears for entering the path (in the same format as the path string used when mapping web requests, such as "rootpath.sublevel" or "arraypath.0.value").

Description

A longer description of the secret. For your own reference.

Lock Secret

Protect the secret from accidental changes. If this is selected, the secret cannot be edited or deleted. The secret can be unlocked for changes by clearing the checkbox.

Permissions

Permissions for secrets are granted under Permissions > Advanced > Secrets.

Any user with access to a solution in Appfarm Create can list all the solution's secrets by name. This is necessary in order to be able to specify a secret as a property in an action node.

To see the value of the secret in Appfarm Create you need the permission Read any Secret value. This permission is not needed to run an action node that uses a secret.

Separate permissions are required for modifying secrets:

  • Create Secret

  • Update any Secret

  • Delete any Secret

To update a secret from a service, the role of the user/service account running the service requires permission to update that specific secret, granted under Update Secret from Service. Only secrets marked as Environment Specific and that are unlocked can be updated from a service.

Security considerations

If a bad actor has access to your solution Appfarm Create they can still access your secrets even if their role(s) do not have permission to read secrets. This is possible by using a secret in an app or service and sending it to a target that they control. To help mitigate this issue, we recommend using environment-specific secrets and implementing a review process before deploying.

Last updated