Feature request: add hook for database auth
ryancausey opened this issue · 3 comments
I have my Fauna database secret keys stored in a secrets storage solution. In this case I use AWS Secrets Manager, but I could see this applying to other solutions such as Vault. It would be useful in a CI/CD or even local development environment to be able to define a script to grab the relevant secret required for the fauna shell session.
I imagine this would be like some kind of hook tied into either the $HOME/.fauna-shell configuration file or the new project configuration file. Those configuration files could point to a JS script to be used to grab the secret key authentication for the endpoint. In my CI/CD environments and local environments I have the required AWS credentials files already set up to allow for retrieving the secret.
My current workaround plan is to run a script in CI/CD to grab the secret from AWS Secrets Manager and then write that out to a temporary fauna-shell configuration file.
Internal ticket number is FE-4741
Hey @ryancausey,
Another solution you could use is to do something like the following:
- Get the secret onto the machine you are using by interacting with your secrets manager. Place it in an environmental variable.
- Run the fauna-shell using the
--secretoption with the secret found in the environmental variable as your value.
In fact, all you need to do is provide this secret argument to connect to your database.
This forgoes the need to spin up a temporary configuration file.
This is the simplest "easy mode" for continuous deployment integrations with the shell, and fortunately it is in place out of the box.
Please reopen if you have questions or concerns on this approach.