Access Tokens and other secrets
- Bruce Conrad
We don’t want to store them in a code repository, because … they are secrets.
So, how to get them into a ruleset?
Use an event. There are a couple of possibilities: at the moment of installation, or later.
The ruleset installation event
From the developer UI Rulesets tab
Programmatically
An event selected by a rule of your devising
From the developer UI Testing tab
Programmatically
From a web page of your devising
For example, we’ll show how to store a username (“me”) and a password (“mine”).
Install ruleset in the Rulesets tab of the developer UI
How to provide secrets
We enter the URL of the ruleset source code, and provide a configuration map:
Clicking the Install button sends an event over the pico’s engine ui channel.
Where secrets are visible
The logs will show this event, including this information:
{
"eci": "clsnsfxdc01h3xms4a4zmbx9e",
"domain": "wrangler",
"name": "install_ruleset_request",
"data": {
"attrs": {
"url": "file:///Users/bruceconrad/Documents/sdk.krl",
"config": {
"username": "me",
"password": "mine"
},
…
}
},
"time": 1708986131079
}This means that the secrets will be clearly visible in the Logging tab of the developer UI for the next twelve hours. They will also be in the pico-engine.log files for the next several weeks or months (until the logs rotate away).
These log files are available to the administrator of the pico engine.
Besides this, they are visible on the Rulesets page of the developer UI when the RID is checked:
This visibility does not go away with the passage of time.
How to use the configuration
From within the ruleset, the configuration map is available as meta:rulesetConfig and can be used by the ruleset to get at the values it contains.
Ruleset installation programmatically
Send the same wrangler:install_ruleset_request event in some other way to the pico, over a channel whose policy allows this event.
The same visibility will apply.
Use an event selected by a rule of your devising
We define an event, say sdk:new_secrets, and write a rule that selects on this event.
From the developer UI Testing tab
Where secrets are visible
Again, the event will be logged, including this information:
{
"eci": "clt4f2hew025ldys4eyrj303q",
"domain": "sdk",
"name": "new_secrets",
"data": {
"attrs": {
"username": "me",
"password": "mine",
…
}
},
"time": 1709041325101
}Logs are visible in the Logging tab of the developer UI for twelve hours, and in the pico-engine.log files which rotate through 10 file names and eventually drop off.
How to use the secrets
They will come into the selected rules as event attributes. From there, they can be used directly and/or stored in entity variables.
Samples
A project to post into Bluesky: GitHub - b1conrad/microblog: microblog experiments , which uses a custom event,
bsky:session_expired, to acquire and immediately use an identifier and password, to obtain an identifier, and access token, and a refresh token. The event is raised manually in the Testing tab of the developer UI. The three secrets obtained are then stored in entity variables.A ruleset to use mailjet to send email messages: PicoStack/languages/krl/com.mailjet.sdk.krl at main · b1conrad/PicoStack which uses configuration to get several secrets into the ruleset. The values are bound to global names. Described more fully in the blog post Sending email via a web API.
A ruleset to use a webhook to post into a Teams channel: PicoStack/languages/krl/teams.webhook.messaging.krl at main · b1conrad/PicoStack which uses configuration to give the ruleset the webhook URL. Described more fully in the blog post Notifications.
Copyright Picolabs | Licensed under Creative Commons.