Skip to content

Secret Store Integration

The secret store integration provides a secure interface for managing sensitive data within the DAP orchestrator, ensuring that secret values are never exposed in command-line arguments, environment variables, or standard output logs. The architecture relies on a client layer that communicates with the orchestrator’s REST API to store secrets encrypted server-side, while the CLI layer enforces strict input handling by accepting values only through interactive prompts, stdin pipes, or files. This design minimizes the blast radius of potential leaks by ensuring that deployment records store only secret keys, and that the is_hidden_value flag prevents authenticated REST clients from retrieving plaintext values.

The src/dap/secrets/client.py module exposes four primary functions for interacting with the orchestrator’s secret store at /api/v3.1/secrets/<key> 1. These functions utilize the open_orchestrator_client context manager to handle HTTP requests with appropriate authentication sessions or admin bootstrap results.

diagram

The upsert_secret function creates or updates a secret, supporting idempotent operations via the update_if_exists flag. It accepts a hidden parameter (defaulting to True) which sets is_hidden_value in the request body, ensuring that even authenticated clients receive value: null when retrieving the secret later. The list_secrets function retrieves metadata for all secrets but explicitly filters the response to exclude values, returning only keys, visibility, and hidden status to prevent accidental data exposure. The get_secret_meta function retrieves metadata for a specific key, returning the value only if is_hidden_value is false; otherwise, it returns None for the value field. The delete_secret function removes a secret, treating a 404 response as a successful no-op.

The src/dap/secrets/commands.py module implements the dap secret subcommands, enforcing strict security policies on how secret values are provided to the system. The CLI explicitly rejects plaintext values via command-line arguments (--value) and environment variables to prevent leakage through /proc/<pid>/cmdline or shell history 2.

Instead, the CLI accepts secret values through three ranked channels, all handled by the read_secret helper from src/dap/secret_input:

  1. Interactive Prompt (Default): When stdin is a TTY, the CLI uses Click’s hide_input=True to read the value directly from the terminal, ensuring it never appears in shell history or logs.
  2. Stdin Pipe (--value-stdin): Suitable for scripting, this flag reads the value from the process’s standard input, avoiding argv exposure.
  3. File Path (--value-file): Reads the value from a specified file, trimming whitespace.

The secret_put command uses these inputs to call upsert_secret, allowing operators to toggle the is_hidden_value flag via the --visible option. The secret_list command displays a table of keys and their visibility status but never prints values. The secret_show command displays metadata for a specific key; if the secret is hidden, it explicitly redacts the value field in the output. The secret_delete command removes the secret from the orchestrator.