Secret Command

Application secrets are extremely important and can be very cumbersome to manage on your own.

The secret command allows you to manage your application secrets via an easy to use interface that interfaces with the container orchestration system Astra has provided.

An example

First, in order to input secrets, you must already have a service for which you wish to create secrets for. If you need help with this you can read more about the service command here.

For this example we will assume we have a service called testbed which exists in our production account.

Let's start by reviewing the existing secrets for testbed:

~|⇒ astra secret list testbed production
|     key     |    created   | last_changed | last_accessed |
| my_key      | 2 months ago | a week ago   | 2 weeks ago   |
| another_key | 2 months ago | 2 months ago | Never         |

Update a secret

Inserting or Updating a secret is very very easy and safe. By default AWS' secret manager allows for versioned secrets which Astra takes full advantage of in order to give you, the user, an easy way to alter a secret key's value without worrying about incurring downtime from swapping the underlying value.

We simply use the --overwrite command to tell Astra that we're aware that the previous secret key is already populated.

~|⇒ astra secret put testbed production my_key="some_value" --overwrite
✓ Successfully stored secret!

To use this secret, include it into your manifest file like so:

    secrets = [
        name = "TESTBED_MY_KEY",
        valueFrom = "arn:aws:secretsmanager:us-east-2:317441058719:secret:astra/staging/testbed/my_key-b1IfAz:::88075348-b95a-439a-c39b-07df4f08a7b1"

Insert the newly created secret into our manifest

With the secret stored, the final step is to update your application's manifest to utilize the new secret.

So let's navigate to our manifest file and copy-paste in our new secret key.

cd ~/Code/my_app
vim ./service_manifest.production.hcl

✅ Success! On the next deployment, the testbed service will automatically use the newly configured secret as an environment variable.