Working with Secrets
NetActuate's Secrets Manager allows you to securely store and inject sensitive data into your virtual machines at deploy time. Secrets such as API keys, database credentials, and configuration values can be managed centrally and delivered to VMs via cloud-init.
Overview
Secrets are stored encrypted in the NetActuate platform and can be referenced during VM provisioning. When a VM boots, cloud-init retrieves and injects the specified secrets into the VM environment, eliminating the need to hardcode sensitive values in your images or scripts.
Creating a Secret
- Navigate to Platform > Secrets in the Customer Portal.
- Click + Add Secret.
- Enter a Name for the secret (e.g.,
db-password,api-key). - Enter the Value (the sensitive data to store).
- Click Save.
Using Secrets with Cloud-Init
Reference secrets in your cloud-init user-data configuration to inject them into VMs at boot time. The following example demonstrates writing a secret value to a file on the VM:
#cloud-config
write_files:
- path: /etc/myapp/config.env
permissions: '0600'
content: |
DB_PASSWORD=${secret:db-password}
API_KEY=${secret:api-key}
runcmd:
- systemctl restart myapp
When the VM boots, cloud-init resolves the ${secret:name} references and writes the actual secret values to the specified file.
Verifying Secret Injection
After your VM boots, verify that secrets were injected correctly:
$ cat /etc/myapp/config.env
DB_PASSWORD=your-actual-password-value
API_KEY=your-actual-api-key-value
$ cloud-init status
status: done
Best Practices
- Use descriptive names for secrets so they are easy to identify
- Restrict file permissions (e.g.,
0600) when writing secrets to disk - Rotate secrets regularly and redeploy affected VMs
- Avoid logging secret values in your cloud-init scripts
Next Steps
- Secrets Manager API — Manage secrets programmatically via the API
- How to Deploy a Virtual Machine — Deploy a VM with cloud-init and secrets
Need Help?
For guidance on secrets management, connect with a NetActuate infrastructure expert at support@netactuate.com or open a support ticket from the portal: portal.netactuate.com.