Encrypted Configuration in Go 🔐
Consuming variables based on the environment a service is running in is a vital part of configuration, however it is easy to over engineer a solution when security is a key component. This post describes how configuration is encrypted using KMS and then baked into a Go service which is being deployed within a Docker container 🐳.
A simple JSON file with nested objects and a strict format is used as it’s far easier to read and review. Each file has a number of high-level nodes to split up the file for better readability. It is important to note that each environment’s configuration file should have an identical JSON hierarchical path. Even if the environment does not make use of a value, it improves readability if it is set to
Access to encrypt or decrypt values is centrally managed by IAM policies in AWS. Developers are able to encrypt configuration values locally using a CLI that wraps the AWS KMS SDK.
vidsy-cli encrypt <env> <value>
ADD hello-world-service /
ADD config /config
Services use vidsy/kmsconfig as a common interface for accessing both plaintext and secured configuration values.
Hope this helps. Enjoy! 🎉 // Twitter: @charlierevett