Secret handling in KNAST (Knast Secret Manager)¶
- KSM is a tool to use database (only Datavarehus oracle DBs P, U and R) password or secrets in a secure manner. This tool is available on "DBT (Data Build tool)" Knast-image.
- KSM saves encrypted secrets on Google Secret Manager (not on users disk) in users team project which only can be decrypted by a key (master password) generated by user during encryption process. Other team members can only see an encryoted JSON string in GCP team project.
- KSM provides the functionality to automatically integrate DB passwords/secrets required in DBT project, without user needing to provide DB passwords manually.
- If user forgets master password, KSM provides functionality (run "ksm-encrypt-secrets") to regenerate secrets which overwrites previous secrets on Google Secret Manager.
🚀 Installation¶
KSM is ready to use out-of-the-box. No need to install or clone any code. Just go ahead and follow the instructions below:¶
⚙️ One-time System Setup¶
⚠️ IMPORTANT: Run these commands inside your KNAST terminal
Step 1: 🔐 Authenticate with Google Cloud¶
gcloud auth login --update-adc
gcloud config get-value project
gcloud config set project <your-project-id>
Step 2: 🔒 Enter & Encrypt Database(DVH) Passwords¶
Encrypt Secrets¶
ksm-encrypt-secrets
What happens next:
Follow instructions in terminal
- 🔑 Terminal will prompt you to choose DVH env & enter database password and create a master password (a secure, memorable password you'll use daily to decrypt your database passwords.)
- Terminal will prompt you to choose or enter your preffered Google Cloud Project to publish the secrets on Google Secret Manager. ⚠️ Remember: Always use project ID instead of project name.
⚠️ INFO: If you forget your Master Password, you can always create new secret with new Master Password.
Check if script has created the secret in preferred GCP project:¶
- Go to your Google Cloud Console
- Go to Security >> Secret Manager
- Under Secrets tab you will a list of secrets owned by you or your team
- Choose your secret (with your hostname f.eks. a123456)
- Under Actions, click 3 vertical dots and choose View secret value to confirm secret. The same secret JSON should be printed out in your Knast terminal.
🎯 Per-repository setup¶
Step 1: Clone your dbt-project repo/ or Create new dbt project¶
You may need to change your profile in order to support the standard knast setup. Check out profiles.yml to set the supported format to inject the secrects correctly.
The following environment variables are set up automatically:
- DBT_DB_TARGET: This is your current environment, run
dbt-envto check your active environment (U, R, P ...) - DBT_ENV_SECRET_USER: Your NAV ident. Tied to your Knast
- DBT_ENV_SECRET_PASS: DB password, encrypted and injected just in time from Google Secret Manager by KSM
- DBT_DB_SCHEMA: Schema is tied to your git root folder name.
Step 2: 🐍 Create /activate Virtual environment¶
uv venv && source .venv/bin/activate
Step 3: 📋 Install Dependencies (if any)¶
For requirements.txt:
uv pip install -r requirements.txt
For pyproject.toml:
uv pip install -r pyproject.toml
Step 4: ✅ Verify Setup & dbt version¶
repo-status # Tests if everything is okay
Step 5: ⚙️ Initialize Repository¶
repo-init
☀️ Daily Routine (Every Workstation Start or as needed)¶
🔄 Quick Start: Run these commands at the beginning of each session within your repo
Step 1: 🔐 Activate virtual environment (go to your dbt project directory in terminal)¶
source .venv/bin/activate
Step 2: 🔐 Authenticate with GCP¶
gauth # GCP authentication
Step 3: 🔑 Set Master Password¶
mpass-set
Step 4: ✅ Verify Setup (inside repo)¶
repo-status # Tests if everything is okay
Get help about KSM in terminal, run:¶
ksm-help