Hazy can optionally be connected to AWS secrets manager for storing and retrieving sensitive secrets.
AWS Secrets manager¶
The following environment variables can make use of secrets manager:
HAZY_ANALYSIS_ENCRYPTION_KEYrequired for the single container and distributed installation. This must be exactly 32 byte base64 encoded token.
HAZY_DS_ROOT_KEYrequired for the single container and distributed installation. This should be at least 32 bytes base64 encoded token.
HAZY_CACHE_PASSWORDis optional, but can give training and generation performance improvements by allowing reading and writing to an encrypted cache folder.
KEYCLOAK_BACKEND_CLIENTused for the more complex Keycloak authentication and authorisation.
KEYCLOAK_BACKEND_CLIENT_SECRETused for the more complex Keycloak authentication and authorisation.
RABBIT_MQ_PASSWORDused for the distributed architecture only.
To specify the secret should be pulled from AWS secrets manager. Environment variables can take the form
.region= is optional, but may be required depending on usage. Parts can also be quoted to escape the different sections for example:
A set of valid AWS secrets could be setup using the AWS CLI, take note to replace
<CHOSEN-UNLOCK-CODE> with a chosen password.
aws secretsmanager create-secret --name analysis-token --secret-string "$(openssl rand -base64 32)"
aws secretsmanager create-secret --name hazy-root-key --secret-string "$(openssl rand -base64 64)"
aws secretsmanager create-secret --name HAZY-AUTH-TOKEN --secret-string <CHOSEN-UNLOCK-CODE>
If you don't wish to use AWS secrets manager, if the environment variable value doesn't start with the prefix
aws_sm it will be treated as the secret value.