Store API keys and secrets
Simply storing secrets securely
Wouldn't it be nice to store API keys, database passwords, and private keys directly in the source code?
Of course we can’t do that – it's horrifyingly insecure! Unfortunately it's also very common.
So why does it happen? Because storing secrets securely used to be quite annoying. Fortunately, Encore makes it easy.
Defining secrets
With Encore you define secrets directly in your code:
var secrets struct {
SSHPrivateKey string // ed25519 private key for SSH server
GitHubAPIToken string // personal access token for deployments
// ...
}
The variable must be an unexported struct named secrets
, and all
the fields must be of type string
like you see above.
Then, you can set the secret value using encore secret set --<dev|prod> <name>
.
For example, encore secret set --prod SSHPrivateKey
.
The values are stored safely using HashiCorp Vault, and delivered securely directly to your production environment.
You can also set secret values for your development environments (including local development),
using encore secret set --dev GitHubAPIToken
.
Using secrets
Once you've provided values for all the secrets, you can just use them in your program like a regular variable. For example:
func callGitHub(ctx context.Context) {
req, _ := http.NewRequestWithContext(ctx, "GET", "https:///api.github.com/user", nil)
req.Header.Add("Authorization", "token " + secrets.GitHubAPIToken)
resp, err := http.DefaultClient.Do(req)
// ... handle err and resp
}
Secret keys are globally unique for your whole application; if multiple services use the same secret name they both receive the same secret value at runtime.