Secrets management
Env vars, secret stores, redaction. Keep credentials out of YAML and logs.
Cannectors reads every secret from environment variables via the
${VAR} syntax — see Environment variables
for the resolution rules. This page is about wiring those vars into
your deployment without leaking them.
Sources of truth
| Where the secret lives | Loader |
|---|---|
| HashiCorp Vault | vault agent → env file |
| AWS Secrets Manager | aws secretsmanager get-secret-value in entrypoint, or sidecar |
| GCP Secret Manager | Workload Identity + secret accessor, or sidecar |
| Kubernetes Secret | envFrom: secretRef: on the pod |
| systemd | EnvironmentFile= pointing to a chmod-600 file |
| 1Password CLI (dev only) | op run --env-file=… wrapping cannectors run |
Pick whichever your platform already uses. Cannectors itself doesn't
talk to any secret store directly — it only consumes os.Environ().
What lives where
| Type | Storage | YAML reference |
|---|---|---|
| OAuth2 client ID/secret | Secret store | ${OAUTH_CLIENT_ID}, ${OAUTH_CLIENT_SECRET} |
| Bearer tokens | Secret store | ${SOURCE_BEARER_TOKEN} |
| API keys | Secret store | ${SOURCE_API_KEY} |
| Database URLs (incl. password) | Secret store | ${WAREHOUSE_DATABASE_URL} |
| HMAC webhook secrets | Secret store | ${WEBHOOK_HMAC_SECRET} |
| Endpoint hostnames | ConfigMap / config file | hard-coded in the YAML or via ${SOURCE_BASE_URL} |
| CRON schedules | YAML | hard-coded |
Default to env vars for anything sensitive. Hard-code the rest.
systemd EnvironmentFile
# permissions: chmod 600, owner: cannectors
SOURCE_BEARER_TOKEN=eyJhbGciOiJIUzI1...
DESTINATION_BEARER_TOKEN=eyJ...
WAREHOUSE_DATABASE_URL=postgres://user:pass@host/db[Service]
EnvironmentFile=/etc/cannectors/orders.env
ExecStart=/usr/local/bin/cannectors run /etc/cannectors/orders.yamlchmod 600 on the env file. cannectors user, no group read.
Kubernetes Secret
apiVersion: v1
kind: Secret
metadata:
name: orders-sync-secrets
type: Opaque
stringData:
SOURCE_BEARER_TOKEN: eyJhbGciOiJIUzI1...
WAREHOUSE_DATABASE_URL: postgres://...# In the Deployment spec
spec:
containers:
- name: cannectors
envFrom:
- secretRef:
name: orders-sync-secretsFor real production, store the Secret content in your secret manager (External Secrets Operator, Sealed Secrets, Vault Secrets Operator) rather than committing it to git.
Redaction
The runtime never logs resolved credentials. cannectors validate --verbose also redacts:
authentication:
type: bearer
credentials:
token: [redacted]If you ever see a literal token in logs, that's a bug — open an issue.
Rotation
Cannectors reads env vars once at startup. After rotating a secret in your store, restart the process to pick it up:
sudo systemctl restart cannectors-orders
# or
kubectl rollout restart deployment/orders-syncBoth honor Recreate semantics, so the new replica starts with the
new env, and the old one stops cleanly.