On Mon, 6 Mar 2017, at 16:23, Isak Sky wrote: > I found some related writing about this issue in Elixir. This is from the > docs of conform: > > https://hexdocs.pm/conform/getting-started.html#files-files-everywhere
I've been pondering a similar issue:- How to inject passwords and more particularly, tokens with a limited lifespan, into Elixir? We are using hashicorp's vault [1] to handle application secrets, so my current thinking is this approach: - ansible provisions app / app upgrade and hands the app a master token, scoped for this app, to a vault module - module then uses this master token to look up various app-specific secrets (which are time limited) - module stores these in con_cache[2] and uses process_flag(sensitive, true) (see [3]) to keep them out of debug/dump logs - module is responsible for ensuring the master token is renewed every 1/2 life of the secret time limit - module is responsible for ensuring the subsidiary secrets is renewed every 1/2 life of their individual time limits - inside the app, each subsidiary system simply calls our module which internally retrieves the latest secret from con_cache's ets table >From an OTP dependency, I would then end up making this app one of the first supervisors to start up, so that the remaining apps have their secrets already available. I also have a similar need to pull arbitrary, changing, runtime configuration into apps as well, not just secrets, so ideally this sort of functionality (lookups, app cache) would be built into Elixir directly so that any module could use it agnostically, without having to know that these secrets are not just from environment variable, or sys.config but taken from a different module. Perhaps its possible to use the same sort of approach as with logging - batteries included, override as needed? I've not done this before so tips are welcome. A+ Dave [1]: http://vaultproject.io/ [2]: https://github.com/sasa1977/con_cache [3]: http://erlang.org/doc/man/erlang.html#process_flag-3 -- You received this message because you are subscribed to the Google Groups "elixir-lang-core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/elixir-lang-core/1488875563.761822.902936616.17E1418F%40webmail.messagingengine.com. For more options, visit https://groups.google.com/d/optout.
