Skip to main content

Secrets management

1password

We use 1password to share secrets within the team and setup local development environments.

There is one vault for Find MoJ data, and one vault for Datahub.

There are a number of 1password utilities available to manage credentials from cli and desktop environments.

  1. Install the 1Password desktop app - https://support.1password.com/get-the-apps/
  2. Install the 1Password CLI app - https://developer.1password.com/docs/cli/get-started/
  3. Follow the steps to turn on and test the 1password desktop app integration

Github Actions secrets

Our deployment pipelines and CI rely on secrets in Github Actions.

These secrets can be updated by anyone with maintainer access to the repo. Once set, they cannot be viewed again.

Application secrets

At runtime, applications read secrets from Kubernetes.

Secrets in a namespace can be listed with

kubectl -n data-platform-datahub-catalogue-dev get secret

or viewed with

kubectl -n data-platform-datahub-catalogue-dev get secret $secretname -o yaml

See Managing Secrets using kubectl.

We are not using AWS Secrets Manager as an external secretstore due to limitations of AWS console access in Cloud Platform.

This page was last reviewed on 25 November 2024. It needs to be reviewed again on 25 May 2025 by the page owner #data-catalogue .
This page was set to be reviewed before 25 May 2025 by the page owner #data-catalogue. This might mean the content is out of date.