Recommendations for Storing Secrets

Runtime Framework
1

Hi,

We have to access third party services from our Nakama instance, currently the only way I can think of to provide access to API keys is via envrionment variables. This isn’t ideal because they’re in plain text but maybe this is the only solution.

Do you have any recommendations

Thanks.

2

No matter what you do your secrets have to be stored in plain text somewhere.

I’m definitely not the subject matter expert but consider:

  • Store the API key in a plain text file. I prefix my secret files with a period and my git is setup to ignore those files in commits.
  • Setup the docker secret referencing the text file containing your API key. Because my docker compose file and secrets are stored in the same folder, I can use relative paths for example:
secrets:
  my_api_key:
    file: .\.secrets\.my_api_key.txt #notice the . in front of the filename...its the actual filename
  • When you want to access your secret you need to use:
/run/secrets/my_api_key

*Here’s the gotcha…how is this key being passed to your API? If you are using some sort of connection string or URL it needs to be resolved. For example during runtime. This is how I resolve my secrets for the database connect string passed to nakama:

entrypoint:
      - "/bin/sh" 
      - "-ecx"
      - >
        /nakama/nakama migrate up 
        --database.address $(cat /run/secrets/postgres_user):$(cat /run/secrets/postgres_password)@postgres:5432/nakama

It will show up in your terminal, maybe even in your bash history and logs, that might be OK. We have to assume your container and host will not be compromised and security protocols are in place (like you being the only person to have access to the host).

I may be a terrible liar because after extensive reading, I haven’t found any 100% secure way to keep secrets. :wink: