Skip to main content
Skip table of contents

Managing secrets in your space and accessing them from your flows

STANDARD PREMIUM ULTIMATE

In many scenarios, various flows rely on accessing sensitive information like credentials and configuration parameters to communicate with external services. The Secret Manager provided by qibb offers a solution by allowing you to store and manage such data, referred to as “secrets”, in a centralized location, making it convenient to access from multiple flows.

Manage your secrets

Secrets are managed per qibb space. To manage the secrets of a particular space, you must be member of that space with the Owner Role. Learn here how to manage space membership. With the correct permissions, you will find the “Secrets” Tab on the detail page of a space. This view includes information about:

  • Version: This indicates how often a secret entry was changed. This includes any action performed, such as editing, adding or removing secrets. Any change of the space secrets will increase the version number.

  • Updated at: This indicates when the secrets have been changed.

  • Created at: This indicated when the initial version of the secrets has been created.

  • Issued at: This indicates when the secrets have been issued and fetched by your browser.

Secrets of a space

How to create a secret

  1. To create a new secret, click on the + button.

  2. Enter a KEY for the secret. Typically, this is a descriptive title, so that it's easily identifiable by humans.

  3. Enter a VALUE for the secret. This is the actual credential or parameter you want to store. Secrets can be stored in either text (string) or JSON.

  4. Hit Confirm to store the secret.

A secret stored in text (string)

A secret stored in JSON

Text (String) is suitable for most use cases.

Suitable when a lot of parameters shall be stored or the data input already exists as JSON.

It is recommended to choose a descriptive title for the KEY, so that it's easily identifiable by humans. In addition, the KEY will be used as the variable name when accessed by a flow.

As a good practice, include product and service names in the KEY to keep your secrets organized, e.g. PRODUCT_A_API_HOST, PRODUCT_A_API_KEY, PRODUCT_B_USERNAME, PRODUCT_B_PASSWORD

How to setup secret manager in your flow

Secrets can be automatically fetched and easily accessed from a flow by using qibb’s Secret Manager node. The Secret Manager can be found in the node catalog. Note that flows can only fetch secrets of the regarding space they are deployed in.

The Secret Manager node offers the following configuration options:

Description

Options

Autosync

Defines the sync interval, which is fetching the space secrets.

  • Every 1 min

  • Every 30 min

  • Every 60 min

  • Every 12 hours

  • Every 24 hours

Sync on Save

Toggle if the node should fetch secrets whenever the flow was changed and saved.

Note, if your Save Mode is set to “Modified Flows” or “Modified Nodes” the Secret Manager Node may not initiate the sync on save unless it’s properties or position has been changed (blue indicator showing up):

  • True

  • False

How to setup secret manager in your flow

  1. Installation

    1. Navigate to your flow app.

    2. Open the Node Catalog in the right sidebar of the editor.

    3. Click on the (+) button of the Secret Manager node to install it.

  2. Setup

    1. After the installation has been successfully completed, drag and drop the Secret Manager node from the left sidebar into your flow.

    2. Adjust the properties of the node to your needs, such as the Autosync period.

    3. Save your flow.

Avoid dropping multiple instances of this node. Only one instance of this node is required.

How to access secrets from your flow

  1. The node should automatically try to fetch qibb’s Secret Manager API and update it’s status with “🆗 Synced” message.

  2. The secrets will be stored in the Global Context under SECRETS, additional metadata will be stored on SECRETS_METADATA.

  3. That’s it! You can now access your secrets by referencing the secret variables stored on the Global Context. If you want to learn how to read variables stored on the Global Context, have a look at Global, Flow and Environment Variables and OpenAPI Client.

Secrets redaction

All sensitive data stored in the Global Context under the SECRETS category will be replaced with ******* when viewed in the debug sidebar and backend console, when the value is in string format and has more than two characters.

Similarly, any JSON object or JSON-formatted string containing keys from the below list will also be masked as *******, additionally credit card number formats will be masked too.

CODE
[
    'password',
    'passwd',
    'pw',
    'pass',
    'secret',
    'token',
    'apikey',
    'api-key',
    'api.key',
    'api_key',
    'sessionid',
    'session-id',
    'session.id',
    'session_id',
    
    'idToken',  // jwt token
    'accessToken',  // jwt token
    'refreshToken',  // jwt token

    'proxy-authorization',  // Authorization headers
    'authorization',  // Authorization headers
    'x-api-key',  // API key headers
    'set-cookie',  // Cookie headers
    'cookie',  // Cookie headers
    'x-vault-token',  // Vault token

    'x-amz-security-token',  // AWS security token
    'accessKey',  // AWS accessKeyId
    'accessKeyId',  // AWS accessKeyId
    'access_key',  // AWS accessKeyId
    'access_key_id',  // AWS accessKeyId
    'secretKey', // AWS secretAccessKey
    'secretAccessKey', // AWS secretAccessKey
    'secret_key', // AWS secretAccessKey
    'secret_access_key'  // AWS secretAccessKey
]
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.