Encrypted Configuration in Go 🔐


Consuming variables based on the environment a service is running in is a vital part of configuration, however it is easy to over engineer a solution when security is a key component. This post describes how configuration is encrypted using KMS and then baked into a Go service which is being deployed within a Docker container 🐳.

Format

A simple JSON file with nested objects and a strict format is used as it’s far easier to read and review. Each file has a number of high-level nodes to split up the file for better readability. It is important to note that each environment’s configuration file should have an identical JSON hierarchical path. Even if the environment does not make use of a value, it improves readability if it is set to null.

{
"giphy": {
"version": {
"value": "v1",
"secure": false
},
"api_key": {
"value": "75db3bc43c9045e69ae98fcd9b5e16e2=",
"secure": true
}
}
}

Encrypting Values

Access to encrypt or decrypt values is centrally managed by IAM policies in AWS. Developers are able to encrypt configuration values locally using a CLI that wraps the AWS KMS SDK.

vidsy-cli encrypt <env> <value>

Build Process

CircleCI is used to build a static binary of the service using vidsy/go-builder. This binary along with the JSON configuration files are then built into a Docker image based on Alpine Linux.

FROM vidsyhq/go-base:latest
MAINTAINER charlie@vidsy.co
ADD hello-world-service /
ADD config /config
CMD ["/hello-world-service"]

Access

Services use vidsy/kmsconfig as a common interface for accessing both plaintext and secured configuration values.

Hope this helps. Enjoy! 🎉 // Twitter: @charlierevett

Other Posts