Skip to main content
Skip table of contents

Security functions

Overview

The GetSecret function enables runtime access of secret values stored in Key Vaults. Since this function extracts potentially-sensitive information, care must be taken not to leak the secrets.

GetSecret

Looks up a secret from a secrets management vault and returns the secret's value as a string.

Syntax

GetSecret( name )

The required argument name is the name of a key vault secret reference. You must have a secrets management vault configured in Site Settings.

Remarks

This function is suitable for secrets stored in a textual form (passwords, or keys that are base64 encoded).

Note that in AWS Secret Manager, a secret value is a set of key/value pairs. When retrieving a secret’s value from AWS Secrets Manager, the GetSecret function does the following:

  • If the secret value contains a single key, the associated value is returned

  • If the secret value contains multiple keys, and one of those keys matches the secret name, the associated value is returned+

Otherwise, GetSecret returns an error.

Since this function extracts potentially-sensitive information, and makes it available to a Data Management project either during configuration or execution, it poses an inherent security risk. Take care not to expose these secrets (for example, by writing them to a file). Some may consider this function to be unacceptably dangerous. To disable the function, edit this line in CoreCfg.properties:

#If set to true, disable the GetSecret() function, which may pose a security risk
no_getsecret_function=true

Examples

You can use this function at run-time, for example in a Calculate expression to generate a header for a Web Service Call:

"Bearer " + GetSecret("MyWebServiceAuthentication")

It may also be used as a variable using the  ${...} syntax, which will be replaced at project configuration time. For example, you can build a URL like: service://${GetSecret("ServicePassword")}@hostname:port/path/to/resource

If you can enter your secret reference directly into a property using a password control, prefer that over the ${...} syntax.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close