Some of the HTTP and proxy routes we have use access tokens in HTTP headers, which will be rotated routinely.
I understand we can use [$ENV_VAR] syntax to substitute environment variables in the header value. However, the token is sensitive information, which we don’t want to be available to Notecards in the project.
Is there a way to code an environment variable so that it is private to the project and not shared with devices?
Thanks!
Hi @devElert,
Unfortunately there is no way to implement this type of functionality with environment variables, only because the entire purpose of them is to propagate down to one or more Notecards!
Thanks,
Rob
Understood.
So, what is the recommended approach for managing API tokens and token rotation in routes other than error-prone manual updates?
While environment variables are mainly used with devices, they are also useful in Notehub, particularly when combined with fleets and routes to easily parameterize routes.
A additional section for Notehub-only environment variables in the environment pages for the project and fleets would address this.
I’d appreciate if you could add this as a feature request or consider in a broader context how secrets can be injected into routes without them filtering down to devices. Environment variables stored only in the Notehub project/fleets seem like a natural fit, but perhaps the Blues team has other approaches in mind. This also overlaps with the levels of Notehub project access - viewers shouldn’t typically have access to these secrets.
Thanks!
Hi @devElert,
Got it. Sounds like you’d be interested in a similar UI to what you get from AWS Lambdas or other cloud services where you manage, well, “environment variables” as they are called in Lambda land! These would be scoped just to routes though. Let me ping our Notehub team and add this as a feature request.
Thanks,
Rob
Yes, indeed! Thank you for forwarding the request.
Here’s my thoughts on what would be ideal: