Search code examples
node.jsherokusecret-keyapp-secret

why does secret management tool SecretHub work locally but not in heroku production?

I decided to implement a secret management service (secrethub.io) for a node.js server hosted by Heroku.

Its install process goes something like:

npm install --save-dev @secrethub/cli
secrethub init

(then a credential is given once you signup)

then you adjust main start script to:

secrethub run -- nodemon server.js

now when i run the app locally with npm run start everything is fine, server runs as it should, secrets are injected, all is good. but when i deploy to Heroku, the app crashes immediately on the start script:

server@1.0.0 start /app 2020-09-28T22:42:08.353088+00:00 app[web.1]: > secrethub run -- nodemon server.js 2020-09-28T22:42:08.353088+00:00 app[web.1]: 2020-09-28T22:42:08.469775+00:00 app[web.1]: Encountered an error: error while processing template file 'secrethub.env': could not find credential file. Go to https://signup.secrethub.io/ to create an account or run secrethub init to use an already existing account on this machine. (secrethub.credential_not_exist) (run.template_parsing_failed) 2020-09-28T22:42:08.484159+00:00 app[web.1]: npm ERR! code ELIFECYCLE 2020-09-28T22:42:08.484663+00:00 app[web.1]: npm ERR! errno 1 2020-09-28T22:42:08.493367+00:00 app[web.1]: npm ERR! aflare-stripe@1.0.0 start: secrethub run -- nodemon server.js 2020-09-28T22:42:08.493885+00:00 app[web.1]: npm ERR! Exit status 1 2020-09-28T22:42:08.494399+00:00 app[web.1]: npm ERR! 2020-09-28T22:42:08.494840+00:00 app[web.1]: npm ERR! Failed at the aflare-stripe@1.0.0 start script. 2020-09-28T22:42:08.495292+00:00 app[web.1]: npm ERR! This is probably not a problem with npm. There is likely additional logging output above. 2020-09-28T22:42:08.515466+00:00 app[web.1]: 2020-09-28T22:42:08.516772+00:00 app[web.1]: npm ERR! A complete log of this run can be found in: 2020-09-28T22:42:08.517179+00:00 app[web.1]: npm ERR!
/app/.npm/_logs/2020-09-28T22_42_08_498Z-debug.log

like i said I've already signed up and everything. Anyone know of any issues deploying to Heroku and using secret management services?

Solution

  • Judging from the following part of the log, it looks like the SecretHub CLI does not have access to a credential:

    could not find credential file. Go to https://signup.secrethub.io/ to create an account or run secrethub init to use an already existing account on this machine. (secrethub.credential_not_exist)

    You can solve this, by creating a service account for your Heroku app. You can follow this guide to see how. You can configure the resulting credential as the SECRETHUB_CREDENTIAL environment variable in Heroku (see here how).