Skip to Content
SecuritySecret Management

Secret Management

Security is a first-class citizen in Nanokit. Our Secret Management system ensures that your sensitive data (API keys, passwords, certificates) is handled securely and injected into your services at runtime.

Defining Secrets

Secrets are defined in the secrets block of your nanokit.yml.

secrets:
  STRIPE_KEY: vault://stripe/prod/api-key
  DATABASE_PASSWORD: env://DB_PASS

Secret Resolvers

Nanokit supports multiple ways to resolve secrets:

  1. Vault (Recommended): Fetch secrets from a secure vault like HashiCorp Vault or AWS Secrets Manager.
  2. Environment: Use local environment variables from your CI/CD pipeline or .env files.
  3. External Plugins: Extend security with custom secret providers.

Usage in Services

Once defined, secrets can be mapped to service environment variables:

services:
  api:
    env:
      STRIPE_SECRET_KEY: ${secrets.STRIPE_KEY}

Security Best Practices

  • Never Commit Secrets: Nanokit ensures secrets are never stored in your Git repository.
  • Runtime Injection: Secrets are injected into memory at startup, reducing the risk of exposure.
  • Audit Logs: Every access to a secret is tracked in the platform’s audit logs.
Edge Networking