Prisma1: Provide centrally managed store for environment variables

Created on 6 Jun 2017  路  6Comments  路  Source: prisma/prisma1

Here is the question that inspired this request:

@lastmjs:

Security question: is it safe to have secret keys in server-side subscription functions? How I dealt with secret keys before on my VPS was through environment variables, so the keys were never checked into any kind of source control and had to be manually entered into the VPS. I think that was a good practice. Is there anything like that available for the cloud functions that graph.cool supports, or is that unnecessary?

@sorenbs replied:

This is a good point @lastmjs. You can assume that source code in a Graphcool Function is kept safe. Our execution engine is using the concept of containers to separate functions. For performance reasons all functions within a project are executed in the same container, but there is no way for functions in different projects to interact with each other.
Even though it is safe to store secrets in your Graphcool Functions, I think it would be valuable for Graphcool to provide a centrally managed store for environment variables. Could you open a feature request for this?
If you decide you need to manage your secrets with environment variables, I would encourage you to look into the Serverless Framework and AWS lambda. It allows you to easily deploy a lambda function with injected environment variables that you can hook into your Graphcool project as a webhook.

picture lastmjs
6

Most helpful comment

The new CLI allows you to hook into environment variables in an .envrc file or similar. They are considered when deploying the project. More information here: https://www.graph.cool/forum/t/feedback-new-cli-beta/949?u=nilan

picture marktani on 18 Sep 2017
👍2 🎉1

All 6 comments

Thanks so much, I like it! This is related to #219 as well.

marktani picture marktani on 6 Jun 2017

I'm not sure how centrally managed it should be. I think it could be nice to provide each function with its own environment variables as part of setting up that function.

lastmjs picture lastmjs on 7 Jun 2017

Auth0 Extend already allows defining secrets, that are part of the container. The editor also allows for that out of the box. So enabling this feature in the console would give users a way to store environment variables and secrets without them showing up in the actual code:
image
Source: https://auth0.com/blog/serverless-webhooks-with-auth0-extend/

kbrandwijk picture kbrandwijk on 17 Jun 2017

I'd like the environmental variables as well. Using Stripe I'll either need to use AWS lambda as a payment microservice for my SAAS app, or store the Stripe secret key in the database at graph.cool.

c316 picture c316 on 24 Jun 2017

For now I'm just defining my secrets at the top of the inline code, and storing a placeholder in my git repo. When i copy updated functions from my local filesystem to Graphcool, I make sure only to update everything under the lines with the secret constants

mattfysh picture mattfysh on 19 Aug 2017

The new CLI allows you to hook into environment variables in an .envrc file or similar. They are considered when deploying the project. More information here: https://www.graph.cool/forum/t/feedback-new-cli-beta/949?u=nilan

marktani picture marktani on 18 Sep 2017
👍2 🎉1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ragnorc picture ragnorc  路  3Comments
schickling picture schickling  路  3Comments
sedubois picture sedubois  路  3Comments
notrab picture notrab  路  3Comments
MitkoTschimev picture MitkoTschimev  路  3Comments