Manage secrets
How to handle secrets within the Dynatrace platform
Whenever Dynatrace Apps or functions need to access services outside the Dynatrace platform, secrets are likely required to authenticate these service interactions. Many services require API tokens, OAuth clients, or secrets within webhook URLs to authenticate their users.
Your app is never to contain these secrets, and there are several reasons for that:
- People with access to the app bundle or a function, for example, in Notebooks, can see the secret in clear text and misuse them.
- Your app bundles that have secrets can't be easily updated. You need to update the whole app to exchange a secret.
To help users keep secrets secure and easy to handle, Dynatrace offers the Credential Vault service and a corresponding SDK, which stores secrets, credentials, certificates, etc.
With the help of the SDK, you can easily retrieve your credentials in your app. There are four types of credentials, each with a corresponding interface in the SDK:
Secret type | Interface |
---|---|
Certificate | CredentialsDetailsCertificateResponseElement |
Public certificate | CredentialsDetailsCertificateResponseElement |
Token | CredentialsDetailsTokenResponseElement |
Username and password | CredentialsDetailsUsernamePasswordResponseElement |
When retrieving credentials in your app, you need to use the corresponding interface according to your secret type, like this:
import {
credentialVaultClient,
CredentialsDetailsTokenResponseElement,
} from '@dynatrace-sdk/client-classic-environment-v2';
const tokenCredentials: CredentialsDetailsTokenResponseElement =
await credentialVaultClient.getCredentialsDetails({
id: 'CREDENTIALS_VAULT-xxxxxxxxxxxxxxxx',
});
if (tokenCredentials.token) {
// use token
}
This operation requires the scope environment-api:credentials:read
. Read more about scopes in this guide.
Ensure to use the AppEngine
scope for your credentials.
To use await
in React components, you need to wrap the asynchronous invocation in an async
function. Read more about it in this guide.
Best practices to handle secrets
Storage of secrets in the credential vault
Storing secrets outside places specifically designed for that purpose is discouraged. For the Dynatrace platform, use the Credential Vault and don't hard-code credentials within apps, Dashboards, Notebooks, or similar.
Apply the principle of least privilege
Each user, token, and OAuth client should only be assigned the minimum level of access required to perform their duties. As a result, your secrets' permissions will only be accessible when used in conjunction with the corresponding task they're to perform. Following this principle, you can reduce the potential impact if secrets leak.
Don't reuse secrets
It would be best if you don't reuse secrets. We recommended creating a set of secrets for a single action—for example, in a workflow—where you can change secrets easily without dependencies on multiple services that might break by revoking a single certificate.
Rotate secrets
Try to rotate any secrets periodically. This will ensure that people who had access to secrets in the past can't access the system after they change roles or leave the company.
Review and share secrets
Try to review secrets and their sharing status periodically. Is a secret still in use, or can it be removed? Secrets that aren't stored anywhere can't be compromised. Ask yourself if all persons who can access a secret still require access. From a security point of view, less is more when it comes to sharing secrets.