We don’t want to store them in a code repository, because … they are secrets.
So, how to get them into a ruleset?
Use an event. There are a couple of possibilities: at the moment of installation, or later.
The ruleset installation event
From the developer UI Rulesets tab
Programmatically
An event selected by a rule of your devising
From the developer UI Testing tab
Programmatically
From a web page of your devising
For example, we’ll show how to store a username (“me”) and a password (“mine”).
We enter the URL of the ruleset source code, and provide a configuration map:
Clicking the Install button sends an event over the pico’s engine ui channel.
The logs will show this event, including this information:
{ "eci": "clsnsfxdc01h3xms4a4zmbx9e", "domain": "wrangler", "name": "install_ruleset_request", "data": { "attrs": { "url": "file:///Users/bruceconrad/Documents/sdk.krl", "config": { "username": "me", "password": "mine" }, … } }, "time": 1708986131079 } |
This means that the secrets will be clearly visible in the Logging tab of the developer UI for the next twelve hours. They will also be in the pico-engine.log files for the next several weeks or months (until the logs rotate away).
These log files are available to the administrator of the pico engine.
Besides this, they are visible on the Rulesets page of the developer UI when the RID is checked:
This visibility does not go away with the passage of time.
From within the ruleset, the configuration map is available as meta:rulesetConfig
and can be used by the ruleset to get at the values it contains.
Send the same wrangler:install_ruleset_request
event in some other way to the pico, over a channel whose policy allows this event.
The same visibility will apply.
We define an event, say sdk:new_secrets
, and write a rule that selects on this event.
Again, the event will be logged, including this information:
{ "eci": "clt4f2hew025ldys4eyrj303q", "domain": "sdk", "name": "new_secrets", "data": { "attrs": { "username": "me", "password": "mine", … } }, "time": 1709041325101 } |
Logs are visible in the Logging tab of the developer UI for twelve hours, and in the pico-engine.log files which rotate through 10 file names and eventually drop off.
They will come into the selected rules as event attributes. From there, they can be used directly and/or stored in entity variables.
A project to post into Bluesky: https://github.com/b1conrad/microblog , which uses a custom event, bsky:session_expired
, to acquire and immediately use an identifier and password, to obtain an identifier, and access token, and a refresh token. The event is raised manually in the Testing tab of the developer UI. The three secrets obtained are then stored in entity variables.
A ruleset to use mailjet to send email messages: https://github.com/b1conrad/PicoStack/blob/main/languages/krl/com.mailjet.sdk.krl which uses configuration to get several secrets into the ruleset. The values are bound to global names. Described more fully in the blog post Sending email via a web API.
A ruleset to use a webhook to post into a Teams channel: https://github.com/b1conrad/PicoStack/blob/main/languages/krl/teams.webhook.messaging.krl which uses configuration to give the ruleset the webhook URL. Described more fully in the blog post Notifications.