Skip to main content

Secrets

Secrets management in Pylee provides a secure way to handle sensitive information like API keys, passwords, tokens, and other confidential data. Rather than hardcoding these values in configuration files, Pylee offers multiple secure storage and retrieval mechanisms.

What are Secrets?

Secrets are sensitive pieces of information that should never be stored in plain text or committed to version control. In Pylee, secrets include:
  • API keys and tokens: Authentication credentials for external services
  • Database passwords: Connection credentials for databases
  • Certificates and keys: SSL/TLS certificates and private keys
  • Authentication tokens: OAuth tokens and session keys
  • Encryption keys: Keys used for data encryption and decryption

Secret Storage Options

Environment Variables

The simplest approach for storing secrets in environment variables:

Secret References

Use special syntax to reference secrets stored in secure vaults:

File-based Secrets

Store secrets in secure files with restricted permissions:

Secret Providers

Local Secret Store

Pylee’s built-in encrypted secret storage:
Configuration usage:

External Secret Managers

AWS Secrets Manager

HashiCorp Vault

Azure Key Vault

Secret Syntax

Basic Secret Reference

Provider-specific References

Secret with Default Values

Complex Secret Structures

For JSON secrets:

Security Best Practices

Access Control

  • Implement least-privilege access to secrets
  • Use role-based access control (RBAC)
  • Regularly audit secret access logs
  • Rotate secrets regularly

Storage Security

  • Never commit secrets to version control
  • Use encrypted storage for secret files
  • Set restrictive file permissions (600 or 400)
  • Store secrets separate from configuration

Network Security

  • Use HTTPS/TLS for secret transmission
  • Implement proper certificate validation
  • Use VPNs or private networks when possible
  • Monitor secret access patterns

Rotation and Lifecycle

  • Implement automatic secret rotation
  • Set expiration dates for secrets
  • Have rollback procedures for secret changes
  • Monitor for secret usage anomalies

Environment-Specific Secrets

Development Environment

Production Environment

Secret Templates

Database Connection Template

API Client Template

Secret Validation

Required Secrets

Secret Encryption

Advanced Features

Secret Injection at Runtime

Secret Monitoring

Multi-Region Secrets

Troubleshooting

Common Issues

Secret Not Found

Solutions:
  • Verify secret exists: pylee secret list
  • Check provider configuration
  • Ensure proper access permissions

Permission Denied

Solutions:
  • Check IAM/RBAC permissions
  • Verify authentication credentials
  • Review secret access policies

Secret Decryption Failed

Solutions:
  • Verify encryption key is correct
  • Check secret store integrity
  • Ensure proper key permissions

Debugging Secrets

Enable secret debugging (be careful in production):

Integration Examples

Complete API Service Configuration

Multi-Environment Secret Management

Next Steps

  • Learn about Variables for non-sensitive configuration
  • Explore Server configuration for complete setup examples
  • Check the Troubleshooting guide for secret-related issues
  • Review security best practices for your deployment environment