Security functions
Overview
The GetSecret function enables runtime access of secret values stored in Key Vaults. Since this function extracts potentially-sensitive information, care must be taken not to leak the secrets.
GetSecret
Looks up a secret from a secrets management vault and returns the secret's value as a string.
Syntax
GetSecret( name )
The required argument name
is the name of a key vault secret reference.
You must have a secrets management vault configured in Site Settings.
Remarks
This function is suitable for secrets stored in a textual form (passwords, or keys that are base64 encoded).
In AWS Secret Manager, a secret value is a set of key/value pairs. When retrieving a secret’s value from AWS Secrets Manager, the GetSecret
function does the following:
If the secret value contains a single key, the associated value is returned
If the secret value contains multiple keys, and one of those keys matches the secret name, the associated value is returned+
Otherwise, GetSecret
returns an error.
Since this function extracts potentially-sensitive information, and makes it available to a Data Management project either during configuration or execution, it poses an inherent security risk. Take care not to expose these secrets (for example, by writing them to a file). Some may consider this function to be unacceptably dangerous. To disable the function, edit this line in CoreCfg.properties
:
#If set to true, disable the GetSecret() function, which may pose a security risk
no_getsecret_function=true
Examples
You can use this function at run-time, for example in a Calculate expression to generate a header for a Web Service Call: "Bearer " + GetSecret("MyWebServiceAuthentication")
.
It may also be used as a variable using the ${...} syntax, which will be replaced at project configuration time. For example, you can build a URL like: service://${GetSecret("ServicePassword")}@hostname:port/path/to/resource
If you can enter your secret reference directly into a property using a password control, prefer that over the ${...}
syntax.