Understanding the secrets.edgelq.com service APIv1, in proto package ntt.secrets.v1.
SPEKTRA Edge Secrets Service API
Understanding the Secrets service API.
Secrets service’s task is to securely store customer’s application secrets.
Encryption and decryption are done on the server side, which means that all secrets are only stored as encrypted entries in the database.
Full API Specifications (with resources):
Resources
Secrets
A secret is responsible for handling a single secret, which contains:
- Name
- EncData, encrypted data, protected by role-bindings (read-checks), stored only in the database
- Data, data to be store as a secret.
During the secret creation, data is taken from the Data field, encrypted using the given encryption function, and then the output encrypted bytes are being saved under the EncData field while the Data field is erased.
Decryption is done similarly but the other way around.
Secrets are regional concept, meaning that only a single region holds its decryption keys.
Secrets storage and retrieval
Secrets service introduces additional commands to decrypt and encrypt data using Secret.
Sample query to list encoded secrets:
cuttle secrets list secrets -o json
Sample query to create a secret:
cuttle secrets create secret {SECRET_ID} \
--region {REGION_ID} --project {PROJECT_ID} \
–-data {JSON_DATA}
Sample query to decrypt a secret:
cuttle secrets get secret {SECRET_NAME} -o json
Secrets can also be decrypted with BatchGet method. Secrets will not be encrypted with collection-type methods, like ListSecrets.