Skip to main content

Secrets

Because Reboot applications are cloud-agnostic by default, Reboot provides its own support for storing and reading secret values that your application will need at runtime (such as API keys, passwords, etc).

Secrets are stored and retrieved as binary data.

info

Secrets are supported in Python backends. TypeScript support coming soon.

Reading secrets

To retrieve a secret in your Reboot application, use an instance of the reboot.aio.secrets.Secrets class.

from reboot.aio.secrets import Secrets

# Create and reuse a Secrets instance.
SECRETS = Secrets()

async def uses_a_secret() -> ...:
    ... = await SECRETS.get("name-of-the-secret")

The Secrets class includes a short lived cache of secret values by default, so it's recommended to:

  1. Create and reuse a single instance of the Secrets class.
    • Allows you to take advantage of secret caching.
  2. Call await secrets.get($secret_name) inline where you want to consume a secret.
    • Allows secrets to be updated for your application without restarting (when using Reboot Cloud).

Storing secrets

Secrets can be written locally via two different mechanisms.

Environment variables

By default, Reboot will read secrets from environment variables prefixed with RBT_SECRET_: i.e. RBT_SECRET_MY_SECRET_NAME. The secret can then be loaded using a name like my-secret-name, my_secret_name, etc.

note

Before being loaded from an environment variable, the secret name will be upper-cased, and dashes (-) will be replaced with underscores (_).

A directory

To load secrets from a directory on disk instead, you can pass the --secrets-directory=... flag to rbt dev run or rbt serve.

The given directory should contain secret files to use, with filenames corresponding exactly to secret names.

Testing secrets

You can provide mock secrets values in tests using the MockSecretSource:

from reboot.aio.secrets import Secrets, MockSecretSource

def setUp() -> None:
    Secrets.set_secret_source(
        MockSecretSource(
            {"my-secret-name": "my-secret-value".encode()}
        )
    )

Secrets in Reboot Cloud

Storing secrets

To store a secret securely in the Reboot Cloud, use the rbt cloud secret subcommands:

rbt cloud secret write \
    --api-key=${REBOOT_CLOUD_API_KEY} \
    --secret-name=example \
    --secret-value=ex4mple

Secret values are encrypted at rest. When passed using --secret-value, the secret string value will be UTF-8 encoded, but you can directly store a secret from a file using --secret-value-file.

Runtime environments

If you have stored secrets in the Reboot Cloud, when running your application via rbt dev run, you will need to pass your API key in order to read them:

rbt dev run \
    --api-key=${REBOOT_CLOUD_API_KEY}

When running via rbt cloud up, a short-lived API key is automatically provided to your application at runtime.