@synanetics/secrets
v5.0.0
Published
Synanetics custom secrets package for GCP environments
Downloads
640
Maintainers
Keywords
Readme
@synanetics/secrets
Package to handle Synanetics secret usage. It is meant as a replacement (breaking) and extension of synfhir-core
resolve utility function.
Usage
const secrets = require('@synanetics/secrets');
const { getVersion, resolveVersion, replaceVersion, createSecretWithVersion } = require('@synanetics/secrets');
// or
import * as secrets from '@synanetics/secrets';
import { getVersion, resolveVersion, replaceVersion, createSecretWithVersion } from '@synanetics/secrets';
Functions
getVersion
Will attempt to fetch a secret value and return it as a string. It will infinitely cache this value by default. It surfaces any errors encountered.
await getVersion('my-secret');
// returns my-secret string value
For convenience it will handle a secret://
prefix.
await getVersion('secret://my-secret');
It can be provided a version number - it defaults to latest
.
await getVersion('my-secret', '10');
It can be provided with an alternate project id when handling secrets.
await getVersion('my-secret', undefined, { project: 'alternate-project-id' });
It can be passed a caching TTL.
await getVersion('my-secret', undefined, { cache: { ttl: 100 } });
It can disable the cache entirely.
await getVersion('my-secret', undefined, { cache: { enabled: false } });
By default it will return an empty string for NOT_FOUND and FAILED_PRECONDITION (DISABLED) errors, this can be configured to throw on those errors too.
await getVersion('my-secret', undefined, { throwOnAnyError: true });
resolveVersion
Added to act as a substitute for synfhir-core -> resolve
function. It handles errors slightly differently and should be considered a breaking change but in reality should be a simple modification.
await resolveVersion('');
await resolveVersion();
// both return '';
It expects all secret names to be passed as one of file://...
or secret://...
. If none of these prefix patterns match it will return the input value.
e.g.
my-input-value
would just return my-input-value
.
file://
prefixes are attempt to read the contents of a file based on the value after removing file://
.
e.g.
file://path/to/a/file
will read the file at path/to/a/file
.
secret://
prefixes are attempt to read the contents of a GCP Secret Manager secret latest version based on the value after removing secret://
. NOTE - This will use getVersion detailed above
e.g.
secret://my-secret-name
will read the file at my-secret-name
.
replaceVersion
Will attempt to set a secret version value and disable it previous version. It surfaces any errors encountered. It does nothing with the cache.
await replaceVersion('my-secret', 'new value');
For convenience it will handle a secret://
prefix.
await replaceVersion('secret://my-secret', 'new value');
It can be provided with an alternate project id.
await replaceVersion('my-secret', ' new data', { project: 'alternate-project-id' });
createSecretWithVersion
This will create a new secret (where you are sure it doesn't already exist) and add an optional version to it. It does not allow for replication setting overrides, defaulting to our standard config. It is safe to attempt to re-create a secret as an error will be thrown before a new version can be added.
The new version will be a 'PLACEHOLDER' value by default.
await createSecretWithVersion('my-new-secret');
// my-new-secret now has PLACEHOLDER as it's version value
It can be provided with an alternate project id.
await createSecretWithVersion('my-new-secret', 'new data', { project: 'alternate-project-id' });
TESTING
When testing this package it is important to bear in mind that Jest will reload it's modules per file. To prevent memory leaks in this scenario and allow mocking to prevent client and cache instantiation, this module defers both client and cache instances until one of the above functions is called.