@wakeflow/secrets v1.0.29

@wakeflow/secrets

This is a package that the team at Wakeflow use to manage secrets in GCP projects. It adds any "remote" secrets stored in GCP to the "local" secrets in your .env file

How to use

1. Add all your secrets to secret manager https://console.cloud.google.com/security/secret-manager

2. add the following to your .env GOOGLE_APPLICATION_CREDENTIALS=/Users/andreaskater/secrets/contractvoice-d4ea52312c2f.json (Make sure to get your own creds from IAM on GCP console and replace the above path)

3. Now you can run npx @wakeflow/secrets to sync the secrets in GCP Secret Manager into your .env file.

   You'll notice that they're added at the bottom after ### ADDED_BY_WAKEFLOW_SECRETS:. Please don't remove that comment. It is required for future syncs.

   If the secrets on GCP Secret Manager are updated you can run npx @wakeflow/secrets again to update them in your local .env file.

   Note: it will only update the secrets south of ### ADDED_BY_WAKEFLOW_SECRETS:. It will never override secrets above ### ADDED_BY_WAKEFLOW_SECRETS:

4. make sure you have .gitignored .env so that your local configuration doesn't get shared with colleagues

How to use in production

6. add ENV=development to your local .env (if you're developing locally and set ENV=development, then npx @wakeflow/secrets will get secrets from GCP Secret Manager that end in _development and put them into your .env file without that postfix. E.g. API_KEY_development on GCP Secret Manager will be saved as API_KEY in your .env file if ENV=development)

7. create a .env.production file and set ENV=production in there so that production secrets will be downloaded when your code is deployed to production.

8. make sure you have .gitignored .env, but not .env.production, because .env.production will be used for non-secret production configuration that everyone can see. In the next step it gets copied into the production environment during CI/CD.

9. add the below to your /.github/workflows/cicd.yaml

 - run: cp .env.production .env
 - run: npx @wakeflow/secrets

10. Push a commit to main branch to trigger your github action

Scripts

add

npx @wakeflow/secrets add API_KEY abc123

This script will add a secret called API_KEY with value abc123 to the remote GCP Secret Manager.

upload

npx @wakeflow/secrets upload .env.prod

This script will add all the secrets stored in the .env.prod file to the remote GCP Secret Manager.

Problems/Support/Feedback

Please don't hesitate to get in touch on andi@wakeflow.io