ManagementClient and secrets with cli deployment

libor.vozdek · July 14, 2023, 10:15am

Hi,
I’m working on a migration from Rules to Actions. One of the changes for me was a change in how we are initiating ManagementClient , I have used this help topic as my bases:

Setting up new application, and then storing the clientid and secret in action’s secrets. This works fine when I’m setting this manually.
But now I need to set up deployment using a0deploy with the tenants.yaml.
So for Application(client), it is easy:

clients:
  - name: XYZClientManagement
    app_type: non_interactive
...

but for the action, how do I now reference the generated client_id and client_secret? I basically need something like this? Is it anyhow possible to setup?

actions:
  - name: XYZAction
    code: ../code.js
    secrets:
      - name: MANAGEMENT_CLIENT_CLIENT_ID
        value: ${client.XYZClientManagement.client_id}
      - name: MANAGEMENT_CLIENT_CLIENT_SECRET
        value: ${client.XYZClientManagement.client_secret}

Thank you very much

jsteinbrunner · April 25, 2024, 10:25pm

Curious, if there are any recommendations for this? I’m also trying to instantiate a management client in an action, but do not want our client secret referenced in the auth0 deployment yamls.

tyf · April 25, 2024, 10:47pm

Hey @jsteinbrunner - While I’m not super familiar with deploy CLI it does look to be possible, here’s an example:

github.com

auth0/auth0-deploy-cli/blob/16dee06e5109e493e64a1895118a81c45206d554/examples/directory/actions/action-example.json#L11


      
          {
            "name": "action-example",
            "code": "directory/actions/action-example/code.js",
            "status": "built",
            "dependencies": [
              {
                "name": "lodash",
                "version": "4.17.21"
              }
            ],
            "secrets": [
              {
                "name": "MY_SECRET",
                "value": "_VALUE_NOT_SHOWN_"
              }
            ],
            "supported_triggers": [
              {
                "id": "post-login",
                "version": "v1"
              }

jsteinbrunner · April 26, 2024, 1:44pm

Thanks for the response @tyf!

I found a related post on this topic where @rueben.tiow referenced the same example yaml configuration.

Given his reply, it makes me think _VALUE_NOT_SHOWN_ is static placeholder text for the purpose of the example.

If you know of any other resources that talk more about using secrets in the deploy tool, I would love to take a look.

tyf · April 26, 2024, 8:56pm

Happy to help!

I was just able to run the Deploy CLI successfully and create an action with a secret as shown in the example - Both my application’s client_secret and Action secret were set using environment variables. Here’s my tenant.yaml:

actions:
  - name: action-deploy
    code: /Users/me/auth0-dev/test/deploy-cli/code.js
    deployed: true
    secrets:
      - name: MY_SECRET
        value: "#{env.MY_SECRET_VALUE}"
    status: built
    supported_triggers:
      - id: post-login
        version: v2

jsteinbrunner · April 26, 2024, 9:22pm

This is super helpful, thank you!