Access Tokens and other secrets

We don’t want to store them in a code repository, because … they are secrets.

So, how to get them into a ruleset?

Use an event. There are a couple of possibilities: at the moment of installation, or later.

  1. The ruleset installation event

    1. From the developer UI Rulesets tab

    2. Programmatically

  2. An event selected by a rule of your devising

    1. From the developer UI Testing tab

    2. Programmatically

    3. From a web page of your devising

For example, we’ll show how to store a username (“me”) and a password (“mine”).

Install ruleset in the Rulesets tab of the developer UI

How to provide secrets

We enter the URL of the ruleset source code, and provide a configuration map:

Screen Shot 2024-02-26 at 15.22.05.png

Clicking the Install button sends an event over the pico’s engine ui channel.

Where secrets are visible

The logs will show this event, including this information:

{   "eci": "clsnsfxdc01h3xms4a4zmbx9e",   "domain": "wrangler",   "name": "install_ruleset_request",   "data": {     "attrs": {       "url": "file:///Users/bruceconrad/Documents/sdk.krl",       "config": {         "username": "me",         "password": "mine"       },       …     }   },   "time": 1708986131079 }

This means that the secrets will be clearly visible in the Logging tab of the developer UI for the next twelve hours. They will also be in the pico-engine.log files for the next several weeks or months (until the logs rotate away).

These log files are available to the administrator of the pico engine.

Besides this, they are visible on the Rulesets page of the developer UI when the RID is checked:

Screen Shot 2024-02-27 at 06.23.50.png

This visibility does not go away with the passage of time.

How to use the configuration

From within the ruleset, the configuration map is available as meta:rulesetConfig and can be used by the ruleset to get at the values it contains.

Ruleset installation programmatically

Send the same wrangler:install_ruleset_request event in some other way to the pico, over a channel whose policy allows this event.

The same visibility will apply.

Use an event selected by a rule of your devising

We define an event, say sdk:new_secrets, and write a rule that selects on this event.

From the developer UI Testing tab

Where secrets are visible

Again, the event will be logged, including this information:

{ "eci": "clt4f2hew025ldys4eyrj303q", "domain": "sdk", "name": "new_secrets", "data": { "attrs": { "username": "me", "password": "mine", } }, "time": 1709041325101 }

Logs are visible in the Logging tab of the developer UI for twelve hours, and in the pico-engine.log files which rotate through 10 file names and eventually drop off.

How to use the secrets

They will come into the selected rules as event attributes. From there, they can be used directly and/or stored in entity variables.


Copyright Picolabs | Licensed under Creative Commons.