Skip to main content

Config

Federal guidelines require safe, encrypted storage of "static authenticators" (meaning API keys, tokens, etc.). Archon has a compliant mechanism to store these authenticators and provide them at runtime.

Federal guidelines also establish strict "change management" requirements for altering system configuration. Archon's config system automatically implements these controls when running in production.

Accessing config items

Configuration items can only be accessed by SERVICE users (see Service Accounts) with special permissions. Grant access to config entries or secrets using the following details

  • Config entries: Can be accessed by users with permission to access the read-config-entry intent on a resource of resourceType archon-configEntry
  • Secret entries: Can be accessed by users with permission to access the read-secret-entry intent on a resource of resourceType archon-configEntry

See 6. Access Control for more details on granting permissions

Special conditions

Config items and secrets are just like other resources in the Archon Environment. Config items and secrets both have special metadata you can use when defining Conditions for access. It looks like the following:

  • Secret entries:
{
  "name": "{{name of the secret}}",
  "secret": true,
  // only appears if the Archon configurator created this resource
  "~archon": true
}
  • Config entries:
{
  "name": "{{name of the secret}}",
  "secret": false,
  // only appears if the Archon configurator created this resource
  "~archon": true
}

Adding config items or secrets in development

Use the admin portal to add config items by navigating to Config on the left-hand sidebar using the Add button in the top right

warning

For now, when deleting Config items, do it by deleting its resource from the resource tab. This will also be fixed in a future version.

Accessing config items or secrets from your application

Refer to your SDK's documentation for detailed instructions

As an example, here's accessing a secret with the NodeJS SDK

const secret = await getSecret('postgres-details')
note

Remember that your application's service-account must have permission to access the secret or this will throw an error!