The crypto
task provides methods to work with Concord’s
secrets store as well as the methods to encrypt and
decrypt simple values without storing.
The task is provided automatically by Concord and does not require any external dependencies.
A SSH key pair, stored in the secrets store can be exported as a pair of files into a process’ working directory:
- ${crypto.exportKeyAsFile('myOrg', 'myKey', 'myKeyPassword')}
This expression returns a map with two keys:
public
- relative path to the public key of the key pair;private
- same but for the private key.A full example adds a key via the REST API:
$ curl -u yourusername \
-F storePassword="myKeyPassword" \
-F name=myKey \
-F type=key_pair \
http://concord.example.com/api/1/org/Default/secret
{
"id" : "...",
"result" : "CREATED",
"name" : "myKey",
"publicKey" : "...",
"password" : "myKeyPassword",
"ok" : true
}
And subsequently exports the key in the default flow.
flows:
default:
- expr: ${crypto.exportKeyAsFile('myOrg', 'myKey', 'myKeyPassword')}
out: myKeys
- log: "Public: ${myKeys.public}"
- log: "Private: ${myKeys.private}"
The keypair password itself can be encrypted using a simple single value encryption described below.
Credentials (username and password pairs) can be exported with:
- ${crypto.exportCredentials('myOrg', 'myCredentials', 'myPassword')}
If it’s a non password-protected secret, use null
instead of password:
- ${crypto.exportCredentials('myOrg', 'myCredentials', null)}
The expression returns a map with two keys:
username
- username partpassword
- password partYou can store the return value in a variable:
- expr: ${crypto.exportCredentials('myOrg', 'myCredentials', null)}
out: myCreds
- log: "Username: ${myCreds.username}"
- log: "Password: ${myCreds.password}"
Or use it directly. For example, in a http
task call:
- task: http
in:
auth:
basic: ${crypto.exportCredentials('myOrg', 'myCredentials', null)}
# ...
A “plain” secret is a single encrypted value, which is stored using
the REST API or the UI and retrieved using the
crypto.exportAsString
method:
$ curl -u myusername \
-F name=mySecret \
-F type=data \
-F data="my value" \
-F storePassword="myPassword" \
http://concord.example.com/api/v1/org/Default/secret
- log: "${crypto.exportAsString('myOrg', 'mySecret', 'myPassword')}"
In this example, my value
will be printed in the log.
Alternatively, the crypto
task provides a method to export plain secrets as files:
- log: "${crypto.exportAsFile('MyOrg', 'mySecret', 'myPassword')}"
The method returns a path to the temporary file containing the exported secret.
A value can be encrypted with a project’s key and subsequently decrypted in the same project’s process. The value is not persistently stored.
You can encrypt a value in your project’s settings configuration in the Concord Console.
Alternatively, the REST API can be used to encrypt the value using the the project specific key
and the encrypt
context:
curl -u myusername \
-H 'Content-Type: text/plain' \
-d 'my secret value' \
http://concord.example.com/api/v1/org/MyOrg/project/MyProject/encrypt
(replace MyOrg
and MyProject
with the names of your organization and project).
The result returns the encrypted value in the data
element:
{
"data" : "4d1+ruCra6CLBboT7Wx5mw==",
"ok" : true
}
The value of data
field can be used as a process variable by adding it as an
attribute in the Concord file, in the project’s configuration or can be supplied
to a specific process execution in the request JSON.
A value can also be encrypted within a Concord Process with the encryptString
method of the crypto
task:
- expr: ${crypto.encryptString('MyOrg', 'MyProject', 'my secret value')}
out: encryptedValue
A value can be encrypted and decrypted only by the same server.
To decrypt the previously encrypted value:
- ${crypto.decryptString("4d1+ruCra6CLBboT7Wx5mw==")}
Alternatively, the encrypted value can be passed as a variable:
- ${crypto.decryptString(mySecret)}
The following example uses the decryptString
method of the crypto
task to set
the value of the name
attribute:
flows:
default:
- log: "Hello, ${name}"
configuration:
arguments:
name: ${crypto.decryptString("4d1+ruCra6CLBboT7Wx5mw==")}