How do I reference an environment-specific secret or non-secret value from a script in the Identity Cloud?
The purpose of this article is to provide assistance if you want to reference secrets or non-secret values (such as a third-party URL) from a script, where the values vary depending on the environment being used. For example, you want to use the Scripted Decision node to consume an API key in a script that is used to call a third-party API, and you use different keys in your Development, Staging and Production environments.
1 reader recommends this article
Overview
Script requirements
You must observe the following requirements when you create your script:
- The variable declaration must be on a separate line but this can be anywhere in your script.
-
The entire variable declaration, including the secret or value , must be stored on a single line. If the secret or value is currently a multi-lined string, you must resolve it to a single line before including it in your script. - The variable name must be unique and cannot be reused elsewhere in the script.
The same variable name can be used in other scripts, but you will need to tell us about each script it is used in.
Referencing an environment-specific secret or value from a script
You can reference an environment-specific secret or value in your scripts as follows:
- Update your script in the Development environment to declare the variable and required value. For example, include a declaration as follows:var mySecret = "abcd1234";
-
Raise a Configuration Promotion ticket with the following details: - The name of the variable.
- The name of the script the variable is being used in.
- The name of the realm where the script is located.
-
The value for this variable in each environment. You can provide encrypted values if required; the ForgeRock support engineer can provide instructions for doing this in the ticket if requested.
For example:
var name: mySecret Script name: myScript Realm: alpha Value in Development: abcd1234 Value in Staging: 4321dcba Value in Production: efghij567890!
ForgeRock will then securely register these secrets or values in each environment, and the script will be auto-updated with the environment-specific values when we promote your configuration changes.
Note
Please note the following:
-
You will still see the actual secret or decrypted value in the script if you look in the Admin UI, but this will not be exposed within the node. Operationally, this is replaced with a pointer to the secret value that is parsed when the script needs to be run or edited in the UI, etc. -
You must tell us if the value changes in any of your environments so we can update the stored values accordingly.