Vault
Store secrets and environment values in a secure Vault
The vault is a system for storing secret information that shouldn’t be committed to version control. API keys are a perfect example of something you should store in the vault. You can also use it to store values that differ between environments, like flags and URLs.
Tip
Make sure you've added all your secret API keys and have your permissions setup properly for your team members such that you're compliant with your company's Infosec requirements.
The vault can be accessed in the Meya Console, or Meya CLI if you've set up your computer for local development.
Security and compliance
Not everyone needs to be able to view or update the vault. With Meya's team permissions, it's easy to control vault access so your app stays secure and compliant. Just create a team with the appropriate permissions, then assign users to the team.
The table below outlines the different vault permissions you can assign to teams.
| Permission | Description |
|---|---|
| None | User can: - view vault keys - view vault values only in their redacted form: ●●●●● User cannot: - create, update, or delete vault entries via console or Meya CLI |
| View | User can: - view vault keys and values User cannot: - create, update, or delete vault entries via console or Meya CLI |
| Modify | User can: - view, create, update, and delete vault entries |
Accessing the vault
To access the vault via the web console, navigate to your app, then choose Vault from the left-hand menu:
Vault UI in the Console
If you're developing your app locally, use the meya vault command to access an interactive menu with vault commands.
Vault via CLI
Viewing entries
If you have permission to view vault values, you'll see an eye icon next to the vault value. Clicking it will reveal the value. Click again to hide it.
Viewing vault values
If you're developing locally and don't have permission to view the vault, you'll see an error when running meya vault download:
User without permission to view entries
Vault syntax
The vault requires entries to be written using valid YAML or JSON syntax.
Learn more about syntax
Validate your syntax
Need help troubleshooting a syntax error? These tools can tell you what needs to be fixed:
When modifying the vault from a local development environment, you have the option of working with your vault file in either YAML or JSON format (YAML is the default).
JSON example:
meya vault download --json --file vault.secret.json
meya vault upload --json --file vault.secret.json
The same requirement is true in the web console. Invalid syntax will result in an error when you try to save your changes.
Invalid syntax
Creating, updating, and deleting entries
If you have permission to modify vault values, you'll see additional icons next to each entry for editing and deleting, and an Add item button at the bottom of the screen.
Updating entries
Click the pen icon to edit the vault key and value. Click the checkmark to finish editing. A green icon to the right of the entry will indicate an update has been made, but not saved.
Don't forget to hit the Save button in the top right corner to actually save your changes!
Updating a vault entry
If you're developing locally and don't have permission to modify the vault, you'll see an error when running meya vault upload:
User without permission to modify entries
Be careful when editing the vault entry's key.
If you have code that references the old key name, you'll get an error because the old key can no longer be found (see image below for an example).
Be careful when changing the name of a vault key
Creating and deleting entries
If you have permission to create and delete vault entries, you'll see a trashcan icon next to each entry, as well as an Add item button at the bottom of the screen.
Icons to the right of the entry will indicate whether the entry is being created or deleted:
Creating and deleting entries
Don't forget to hit the Save button in the top right corner to actually save your changes!
Using vault values at runtime
Your app can read values in the vault using Jinja2 syntax: (@ vault.foo )
The vault is read-only at runtime
Vault entries can only be created, updated, and deleted during the design process, not at runtim
Example
Here's how you can use the vault to store integration credentials and refer to them in your integration file:
type: meya.zendesk.support.integration
subdomain: (@ vault.zendesk.support.subdomain )
bot_agent_email: (@ vault.zendesk.support.bot_agent_email )
bot_agent_api_token: (@ vault.zendesk.support.bot_agent_api_token )
target_password: (@ vault.zendesk.support.target_password )
Here's what those vault entries would look like in the console:
Or if you're developing locally, your vault.secret.yaml file would look like this:
To learn more about how to update the vault using Meya CLI, check out the data scope guide.
Updated over 3 years ago