How to store secrets longer than 4096 chars?

[aknuds1]

Prerequisites

• [x] I am running the latest version. (up upgrade)
• [x] I searched to see if the issue already exists.
• [x] I inspected the verbose debug output with the -v, --verbose flag.
• [x] Are you an Up Pro subscriber?

Description

I am trying to provide certificates to my service, but up's method for storing secrets (encrypted environment variables) doesn't support strings of this length (> 4096 chars). How should I store lengthy secrets?

[komuw]

@aknuds1 how about compressing the certificate into a string(with something like gzip) and then uncompress it when you need it.

As an example, given this certificate(python code):

import zlib

cert = """-----BEGIN CERTIFICATE-----
MIIDuzCCAqOgAwIBAgIIU4Px/idbvgswDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcxMjEzMTMwOTQxWhcNMTgwMzA3MTMwMTAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARKr5OUrAwZmnRD
Ob9Fxi3sskR9wwCsBYuE05D9+Dq5hD7UKi6o2mBDJ0q1Qicn0rg7tOHezOOGo1MR
UlwA+qnvo4IBUTCCAU0wEwYDVR0lBAwwCgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQD
AgeAMBkGA1UdEQQSMBCCDnd3dy5nb29nbGUuY29tMGgGCCsGAQUFBwEBBFwwWjAr
BggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcyLmNydDArBggr
BgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5jb20vb2NzcDAdBgNVHQ4E
FgQUcgxgaHW9xdqNbo1vh9z5Ln9E+UIwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAW
gBRK3QYWG7z2aLV29YG2u2IaulqBLzAhBgNVHSAEGjAYMAwGCisGAQQB1nkCBQEw
CAYGZ4EMAQICMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6Ly9wa2kuZ29vZ2xlLmNv
bS9HSUFHMi5jcmwwDQYJKoZIhvcNAQELBQADggEBAF09DZQ/eQeNcJ3E/R/kaA0T
isQPRQCbr2MTZXH/YTvyV47TwMGjgj+dcH1bCH7C2foN+YSyZTchCRdaqbNxl7ZE
en2uj0w7rw2jp8zj2VdbL6APG3oqAieOQUSBlZTEosxj9U1XuWYhauPQc6pDuiBb
B84vSb+nXSxu4yktR55SNu0ZQGVMgGdx4xyyKlpScBCUCjrEYoYzyUsGL9TtO6xa
QYspm+QXESmHIhieLTPO1V8FOU7Q57to1A8/ToJM0EnqClbafTKzwGS3Rr0XE0zd
e2diHxZrx5emZVuWtLeZZxJTYoJlICWJyO2UjCYBY5G0B0XwUinBghekWvzusoQ=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEKDCCAxCgAwIBAgIQAQAhJYiw+lmnd+8Fe2Yn3zANBgkqhkiG9w0BAQsFADBC
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMS
R2VvVHJ1c3QgR2xvYmFsIENBMB4XDTE3MDUyMjExMzIzN1oXDTE4MTIzMTIzNTk1
OVowSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMT
HEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCcKgR3XNhQkToGo4Lg2FBIvIk/8RlwGohGfuCPxfGJziHu
Wv5hDbcyRImgdAtTT1WkzoJile7rWV/G4QWAEsRelD+8W0g49FP3JOb7kekVxM/0
Uw30SvyfVN59vqBrb4fA0FAfKDADQNoIc1Fsf/86PKc3Bo69SxEE630k3ub5/DFx
+5TVYPMuSq9C0svqxGoassxT3RVLix/IGWEfzZ2oPmMrhDVpZYTIGcVGIvhTlb7j
gEoQxirsupcgEcc5mRAEoPBhepUljE5SdeK27QjKFPzOImqzTs9GA5eXA37Asd57
r0Uzz7o+cbfe9CUlwg01iZ2d+w4ReYkeN8WvjnJpAgMBAAGjggERMIIBDTAfBgNV
HSMEGDAWgBTAephojYn7qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1
dvWBtrtiGrpagS8wDgYDVR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggr
BgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAw
NQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9i
YWwuY3JsMCEGA1UdIAQaMBgwDAYKKwYBBAHWeQIFATAIBgZngQwBAgIwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQDKSeWs
12Rkd1u+cfrP9B4jx5ppY1Rf60zWGSgjZGaOHMeHgGRfBIsmr5jfCnC8vBk97nsz
qX+99AXUcLsFJnnqmseYuQcZZTTMPOk/xQH6bwx+23pwXEz+LQDwyr4tjrSogPsB
E4jLnD/lu3fKOmc2887VJwJyQ6C9bgLxRwVxPgFZ6RGeGvOED4Cmong1L7bHon8X
fOGLVq7uZ4hRJzBgpWJSwzfVO+qFKgE4h6LPcK2kesnE58rF2rwjMvL+GMJ74N87
L9TQEOaWTPtEtyFkDbkAlDASJodYmDkFOA/MgkgMCkdm7r+0X8T/cKjhf4t5K7hl
MqO5tzHpCvX2HzLc
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg
R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9
9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq
fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv
iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU
1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+
bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW
MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA
ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l
uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn
Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS
tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF
PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un
hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV
5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg
R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9
9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq
fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv
iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU
1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+
bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW
MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA
ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l
uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn
Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS
tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF
PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un
hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV
5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
-----END CERTIFICATE-----"""

print len(cert) # 5287 which is larger than 4096 chars
compressedCertificate = zlib.compress(cert)
print len(compressedCertificate) # 2228 which is less  than 4096 chars

So you would use the value of compressedCertificate as your environment variable and then in your app, when you read that variable, remember to uncompress [zlib.decompress(compressedCertificate) for python's case] it to get the real value.

[aknuds1]

@komuw I thought of the same, but for now I'm trying to use encrypted parameters stored in AWS Systems Manager instead. I wonder if Up also uses this?

[aknuds1]

@komuw Ugh, Systems Manager imposes the same restriction as up, so I'm out of luck in that regard :/ I'll see if I can make your solution work.

[aknuds1]

@komuw I'm stuck on adding the gzip compressed string with up env add without corrupting it. Somehow it gets corrupted in the process, and I can't decompress it.

[komuw]

I'm guessing that up uses AWS parameter store behind the scenes. And param store has a limit[1] of 4096 chars on the value of the parameter. @aknuds1 you could base64 encode the gzipped string, that way the output would have safe chars to use in up.json;

import base64
encodedcertificate = base64.urlsafe_b64encode(zlib.compress(cert))
print len(encodedcertificate) # 3496 chars

1. https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_Parameter.html

[aknuds1]

@komuw Thanks, I solved it in the meantime, indeed by base64 encoding the compressed string.

[tj]

Up does use Parameter Store at the moment, subject to the same limitations for now :'( if this becomes common I can look into using S3 or something but 4096 generally seems to be plenty for env vars

[aknuds1]

@tj Is my requirement to store a certificate so unusual?

[tj]

@aknuds1 I wouldn't say so but I don't think anyone else has hit the limit yet, that I'm aware of at least

[aknuds1]

To me it seems there should be a way of storing longer secrets than 4096 chars.

[komuw]

param store has a max of 4096, I think up should continue using what is the default in param store. for storing certificates in AWS, the right place is in certificate manager[1] aws iam upload-server-certificate help
maybe up can have a config where people can input certificates and then it uploads to cert-manager, but that seems like complicating things

1. https://aws.amazon.com/certificate-manager/

[aknuds1]

@komuw Can I fetch a certificate from the certificate manager as a string in my service? I just use it to configure the RethinKDB driver.

[komuw]

@aknuds1 if you upload the certificate beforehand using your favorite AWS client, then in your application you should be able to query for it[1]

1. https://docs.aws.amazon.com/cli/latest/reference/iam/get-server-certificate.html

[aknuds1]

@komuw OK, but not sure it's worth the hassle as I was able to squeeze it into an environment variable.

[komuw]

@aknuds1 you could add an up hook[1] that uploads the certificate

{
  "name": "app",
  "hooks": {
    "predeploy": [
      "echo 'uploading ssl certificate to AWS IAM'",
      "aws iam upload-server-certificate --server-certificate-name mycert --certificate-body file://cert.pem --private-key file://private_key.key --certificate-chain file://cert_chain.pem",
      "echo 'done'"
    ]
  }
}

you would need to have the aws cli installed locally

1. https://up.docs.apex.sh/#configuration.hook_scripts

[sorenbs]

Just want to add that I had a related issue today when I was trying to deploy multiple long environment variables using the OSS version of up: https://github.com/motdotla/node-lambda/issues/212

Lambda has a 4kb limit on env variables.

As my env vars are all individually below the parameter store limit, upgrading to up pro and using encrypted variables solved my issue :-)

[sreekanth3107]

@tj we are storing the Account id that excessed the limit of 4096 characters now. Is there any work around to increase the length ?