Skip to main content

Accessing secret values

To keep things secure, nullplatform hides secret parameter values as they’re intended to hold sensitive information. You can still get access to these values using these methods:

  • Grant the SecOps role
  • Ask for approval
  • Set policies

Grant the SecOps role

In nullplatform, reading secret parameter values requires a specific permission granted through the SecOps role. You can assign this role to trusted members of your organization in the Team & Permissions section.

See Authorization and roles for more on managing roles.

Ask for approval

Users who don't have the SecOps role can request access to secret values through approvals.

What happens when access is requested:

  • Access is granted for all versions and dimensions of the parameter.
  • Access remains valid for 24 hours after approval.
  • Requests for access expire if not approved within 3 days.

To configure your organization to use approvals for this use case, refer to the Approvals docs.

Set a policy

Policies let you automatically approve, deny, or require manual approval for access requests based on flexible, rule-based conditions. These rules can consider both user attributes (e.g., their role in the organization) and contextual factors (e.g., whether the application handles sensitive data).

note

All requests to access secrets are audited, even if they’re automatically approved or rejected by a policy.

Use case: Allow managers to access values for non-sensitive apps

You can configure a policy that automatically approves requests from managers, but only for applications that don’t handle sensitive information.

Create this policy by making a POST create a policy request.

curl -L -X POST 'https://api.nullplatform.com/approval/policy' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-d '{
  "nrn": "organization=1:account=2:namespace=3:application=4",   // Specifies where the policy applies.
  "name": "Allow manager to access values for non-sensitive apps",
  "conditions": {
    "user.metadata.ic_level": { "$gte": 3 },
    "application.metadata.has_sensitive_info": { "$eq": false }
  }
}

Refer to the Policies docs for more info.