Secrets

1. System Context

Developers use Nitric to define required secrets within their application.

  • App code uses the Secrets resource from the Nitric SDK.
  • Developers define secrets their application requires and implement logic to securely access and/or update secret values.

Operations use default or overridden IaC (e.g Terraform modules) to provision the necessary resources for their target cloud.

Example AWS Provider
  • AWS Secrets Manager stores and manages secrets.
  • AWS IAM provides roles/policies for secure access to secrets.
Code
Terraform
Create Secret
Access Secret
Provide Access
Developer
Operations
nitric up
AWS Secrets Manager
AWS Lambda Functions
AWS IAM
Example GCP Provider
  • Google Secret Manager stores and manages secrets.
  • Google IAM provides roles/policies for secure access to secrets.
Code
Terraform
Create Secret
Access Secret
Provide Access
Developer
Operations
nitric up
Google Secret Manager
Google Cloud Functions
Google IAM

2. Sequence

Build Sequence

Below is the sequence of events that occur when a developer registers a secret with Nitric. This includes defining the secret and its access requirements, which are then provisioned by the Nitric provider using IaC.

App Worker(s)Nitric SDKNitric CLINitric Provider (plugin)IaC (e.g. Terraform)Register SecretRegister Access RequirementsRegister SecretRegister Access RequirementsForward Nitric SpecProvision SecretProvision IAMApp Worker(s)Nitric SDKNitric CLINitric Provider (plugin)IaC (e.g. Terraform)

Runtime Sequence

Below is a sequence diagram showing the runtime flow of a secret operation in a Nitric application, using the Nitric SDK. The SDK forwards the request to the Nitric runtime, which converts the request and forwards it to the cloud secrets management API. The plugin nature of the Nitric runtime allows for seamless integration with different cloud providers.

App CodeNitric SDKNitric Runtime (plugin)Secrets Management (e.g. AWS Secrets Manager)Access()Forward RequestConvert RequestSecrets Management RequestApp CodeNitric SDKNitric Runtime (plugin)Secrets Management (e.g. AWS Secrets Manager)

3. Component

Secrets Module

  • Dynamically creates and manages secure storage for sensitive information, ensuring confidentiality and integrity.
  • Configures secrets with appropriate metadata or tags for easy identification, tracking, and management.
  • Enforces access control policies to restrict secret usage to authorized applications or services, following the principle of least privilege.
  • Supports versioning of secrets to facilitate secure updates and rollback capabilities without service disruption.
  • Provides seamless integration with application workflows by enabling dynamic retrieval and management of secrets.
  • Abstracts the complexity of underlying secret management systems, allowing developers and operators to interact with a unified interface regardless of the cloud provider.

4. Code

Developers write application code that imports the 'secret' resource from the SDK, configures the secret, and implements the application logic to access and manage secrets.

SDK Reference by language -

Operations will use or extend the Nitric infrastructure modules, including both Terraform and Pulumi:

Edit this page on GitHub
Last updated on Feb 15, 2025