Often your project will require some secret keys or tokens - for instance, API keys or database authentication information. Learn how to safely and easily deploy secrets to now, and how to expose them as environment variables that your applications can load without making them public to the world.
[00:00] A lot of times as our applications grow in complexity, it becomes necessary for us to store certain parts of information in a way that's accessible to the application without actually being in the code. One way that we do that is using environment variables.
[00:16] The kinds of stuff I'm talking about, let's say for instance we're really tired of having to bump the version and redeploy every time we change the greeting. Instead, we're going to say, "var greeting equals process.n of .greeting." That says find the environment variable named greeting, and whatever its value is, set this variable equal to that value.
[00:42] Then down here, instead of returning hello, world, we're going to go ahead and return a template string that says, "hello greeting." Now if I run this, if I type export greeting equals egghead and mpm start, you'll see that I can access that. I can control that.
[01:08] If I change that to say, greeting equals zeit, then it says hello, zeit. I can control parts of my application without having to change my code. That's pretty cool.
[01:28] In order to take these environment variables and make them true on the now deployment, you have to use a special flag. If I say now-e, I can now give it a key value pair. I can say, "greeting equals egghead" and hit enter.
[02:00] Let's deploy. We'll come over here, wait for that to finish up. Cool. "Hello, egghead." That worked. Just a little bit less energetic without our exclamation points there. That's fine.
[02:28] You can actually do this with multiple things. Let's change this a little bit. Let's say this becomes greeting and this becomes name. That's a little bit more appropriate. We say, "var name equals process.ev.name." I can say, "greeting equals hi." Then I can say -e.
[03:03] Again, there can be any number of these, name equals egghead. Now I'm redeploying this. We've got our URL on the clipboard. Let's go ahead and navigate there. Now it says, "hi, egghead." That's cool.
[03:33] Now you might be saying to yourself, "I really don't want to have to type out all of this stuff every time I deploy. I really liked my three letter deploy." One thing you can to make that a bit easier is to create a deploy script.
[03:49] We can take this and we can dump it right here. Now when you do mpm run deploy, it'll do that for you. It's not three letters, but that's something. That still works.
[04:24] A problem you'll run into sometimes...This is fine for simple strings. There's not necessarily going to be any kind of a problem saving all of this to Git and publishing it. This is not a secret. This is just a config variable that we have set for this version.
[04:38] But what if instead of the name egghead, it's something like -e Twitter API key equals? You don't actually want to paste something in there because then if you commit, package that JSON to Git, now you've got your secret key...It's a bad practice.
[05:03] How can we protect ourselves? How can we stick secret information into our now deploys without committing that information anywhere visible? Now has a feature called secrets that makes this super easy.
[05:18] Let's make our greeting and our name secret for the purposes of this demo. That works like this. We say, "now secret add greeting hey. Now secret add name egghead." I've added those on my command prompt right here.
[05:47] That is the last time I ever need to see them because now I have a name for this secret. I can reference the secret by name and refer to it by name. The actual value isn't going to be stored anywhere in my code. It stays just a reference until it gets up to the now server. Then the environment gets built and the secret gets swapped in.
[06:08] The way I do that is I prefix with an "and" sign here. The value of greeting going to be my secret greeting and the value of name is going to be my secret name. Then this was just an extra one I forgot to delete.
[06:23] Now if I run mpm run deploy, you see it's not even spitting out the actual things. Now we can go here. As you can see, it found our secret and it substituted in in the environment variable that we told it to. This is really cool.
[07:04] If you just type it, it gives you the documentation for it. If you type, "now secrets ls," it'll list all the secrets on your account. I've got a bunch of them here. You can delete them, "now secret remove name."
[07:26] But the important thing is that these secrets, they're secure. You reference them purely by name and the actual value of it is just stored over on the now server. Once you've got that secret in the system, you can reference it by name all you want everywhere in your code, and it's safe and it's secure.
Is it just me or have you just exposed your AWS key/secret on a screencast? Hope you've deauthorized those. :)