wizard summoning keys illustration

Using Summon to Manage Secrets as You Move From Dev to Prod

How to use the same secrets.yml in different environments

I’ve recently been working with secrets.yml files that point to different secrets for different environments, and I wanted to share what I’ve learned!

If usually my call to run my app is run-my-app, I knew that I could write my secrets.yml and wrap the call to run my app with a call to Summon in order to inject the secret values into the app’s environment at runtime.

But what if I have different secrets for dev and prod?

I can use environments in my secrets.yml!

dev:
DB_PASSWORD: !var dev/my-app/db-password

prod:
DB_PASSWORD: !var prod/my-app/db-password

Then my command becomes summon -e dev run-my-app or summon -e prod run-my-app, depending on which environment I want to use.

But there’s more! What if there are some secrets that are common across dev and prod? Then I can add a common environment to my secrets.yml:

common:
  AWS_ACCESS_KEY_ID: !var aws/access-key-id
  AWS_SECRET_ACCESS_KEY: !var aws/secret-access-key

dev:
  DB_PASSWORD: !var dev/my-app/db-password

prod:
  DB_PASSWORD: !var prod/my-app/db-password

Then when I run either summon -e dev run-my-app or summon -e prod run-my-app it automatically also loads the variables listed in the common section (this section could also be named default). That is, my app will have access to both the DB_PASSWORD from the proper environment AND the AWS credentials that are common to all environments.

Pretty cool.

For more info on this and other Summon features, check out the project README in GitHub.