Secrets Manager

Hazy can optionally be connected to AWS secrets manager for storing and retrieving sensitive secrets.

AWS Secrets manager¶

The following environment variables can make use of secrets manager:

• HAZY_ANALYSIS_ENCRYPTION_KEY required for the single container and distributed installation. This must be exactly 32 byte base64 encoded token.
• HAZY_DS_ROOT_KEY required for the single container and distributed installation. This should be at least 32 bytes base64 encoded token.
• HAZY_CACHE_PASSWORD is optional, but can give training and generation performance improvements by allowing reading and writing to an encrypted cache folder.
• KEYCLOAK_BACKEND_CLIENT used for the more complex Keycloak authentication and authorisation.
• KEYCLOAK_BACKEND_CLIENT_SECRET used for the more complex Keycloak authentication and authorisation.
• RABBIT_MQ_PASSWORD used for the distributed architecture only.

To specify the secret should be pulled from AWS secrets manager. Environment variables can take the form

aws_sm.<NAME-OF-SECRET>.region=<AWS-REGION>

where .region= is optional, but may be required depending on usage. Parts can also be quoted to escape the different sections for example:

HAZY_ANALYSIS_ENCRYPTION_KEY=aws_sm."analysis-token"
HAZY_DS_ROOT_KEY=aws_sm.hazy-root-key."region=eu-west-2"

A set of valid AWS secrets could be setup using the AWS CLI, take note to replace <CHOSEN-UNLOCK-CODE> with a chosen password.

aws secretsmanager create-secret --name analysis-token --secret-string "$(openssl rand -base64 32)"
aws secretsmanager create-secret --name hazy-root-key --secret-string "$(openssl rand -base64 64)"
aws secretsmanager create-secret --name HAZY-AUTH-TOKEN --secret-string <CHOSEN-UNLOCK-CODE>

If you don't wish to use AWS secrets manager, if the environment variable value doesn't start with the prefix aws_sm it will be treated as the secret value.