Secrets

Shh!

The purpose of the secrets vault is to securely store secrets, while still allowing convenient access to the secrets from both Blueprints and Environments.

Tuono vaults

Every organization within Tuono gets their own dedicated, isolated vault instance. Because of this isolation, no other organizations will have access to this vault or to the secrets stored in the vault.

The Tuono vault is built on top of a Hashicorp Vault, with an extension to allow authentication using the JSON Web Token (JWT) provided by Auth0 (our authentication provider). The claims in the JWT specify the vault policies which apply to this user session. The policies then control access to secrets within the scopes allowed for that user.

Secret Type

Today we support the storage of string values as secrets. These are stored as unversioned key:value pairs. We plan to add more types in the future, including base64-encoded SSH keys, private keys, or certificates, which may be generated and managed by Tuono vaults.

Secrets and Variables

When you define a variable for a blueprint, you have the option to define its type as secret. This means that the variable must reference one of the secrets in your Tuono vault and this can be defined under "Variables" on the "Environment" page. Below is an example a secret variable

variables:
  admin_password:
    description: The password for the administrative user. 
    type: secret

When the secret is leveraged as a variable, instead of setting it to the value of the secret itself, you set it to reference one of the secrets stored in your Tuono vault. This means that the secret can be freely leveraged within a blueprint, without the value being exposed to anyone. Once a secret has been added to the vault, it can be freely used by those with permissions to do so, but the value itself is not exposed to anyone, not even the creator once it has been stored.