spiff-arena/docs/DevOps_installation_integra.../Secrets.md

# How to Configure Secrets in SpiffArena

## Introduction

This document aims to guide users and administrators on how to configure secrets in SpiffArena, especially when dealing with BPMN diagrams stored in a public GitHub repository.
The primary use case focuses on ensuring that sensitive information like API keys or OAuth tokens are not exposed while still making the process diagrams publicly available.

## Use Case

You might have service tasks in diagrams that require sensitive information like API keys or OAuth tokens, which you don't want to commit to GitHub.

SpiffArena allows you to create secrets that are stored in an encrypted format in the database.
These secrets can be referenced in the XML of the BPMN diagrams, ensuring that while the process is visible, the sensitive information is not.
Secrets are only used in service tasks.

## Roles and Permissions

- **SpiffArena Admin**: Can add or configure secrets.
- **External Service Admin**: For example, an admin in Bamboo HR can provide the API key that a SpiffArena admin would then configure as a secret.
- **Diagram Author**: Can reference secrets in service tasks but cannot see the actual secret values.
---

## How to Configure Secrets

### Adding a New Secret

1. **Navigate to the Configuration Section**: Go to the configuration section from the top panel and click on "Add a secret". Ensure you have admin access to SpiffArena.
![Configuration Section](images/Secrets_step_1.png)

2. **Add New Secret**: Create a new secret by entering a key and its corresponding value. Once saved, the value will be encrypted.
![Secrets Section](images/Secrets_step_2.png)

### Using Secrets in Service Tasks

1. **Open the BPMN Diagram**: Open the diagram where you want to configure the service task.

2. **Configure Service Task**: Click on the service task you want to configure and in the service properties panel, search for the Operator ID that you want to add a secret for and mention the response variable to capture the result of the request.

3. **Add Secret Reference**: In the parameters, you can reference the secret using the following format:

    ```xml
    spiffworkflow:parameter id="headers" type="any" value="{ "Authorization": "Bearer SPIFF_SECRET:github_oauth" }"
    ```

    Here, `SPIFF_SECRET:github_oauth` will be replaced by the actual, unencrypted value from the database when the service task runs.
![Secrets Configuration](images/Secrets_configure_2.png)
---

Configuring secrets in SpiffArena provides a secure way to handle sensitive information in your BPMN diagrams.
It allows you to make your processes public without exposing critical data, thereby enhancing both transparency and security.
Adding content for features (#481) 2023-09-12 16:43:49 +00:00			`# How to Configure Secrets in SpiffArena`

			`## Introduction`

Ventilate prose (#1305) * ventilate prose * ventilate all the things --------- Co-authored-by: burnettk <burnettk@users.noreply.github.com> 2024-04-01 14:17:38 +00:00			`This document aims to guide users and administrators on how to configure secrets in SpiffArena, especially when dealing with BPMN diagrams stored in a public GitHub repository.`
			`The primary use case focuses on ensuring that sensitive information like API keys or OAuth tokens are not exposed while still making the process diagrams publicly available.`
Adding content for features (#481) 2023-09-12 16:43:49 +00:00
			`## Use Case`
Ventilate prose (#1305) * ventilate prose * ventilate all the things --------- Co-authored-by: burnettk <burnettk@users.noreply.github.com> 2024-04-01 14:17:38 +00:00
Proofread docs (#1300) * proofread docs * proofreading docs * remove trailing whitespace * tweak * clarify sartography role * restore quick start and faq content * few fixes * Apply suggestions from code review Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * consistent use of SpiffArena --------- Co-authored-by: burnettk <burnettk@users.noreply.github.com> Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> 2024-03-29 19:12:32 +00:00			`You might have service tasks in diagrams that require sensitive information like API keys or OAuth tokens, which you don't want to commit to GitHub.`
Adding content for features (#481) 2023-09-12 16:43:49 +00:00
Ventilate prose (#1305) * ventilate prose * ventilate all the things --------- Co-authored-by: burnettk <burnettk@users.noreply.github.com> 2024-04-01 14:17:38 +00:00			`SpiffArena allows you to create secrets that are stored in an encrypted format in the database.`
			`These secrets can be referenced in the XML of the BPMN diagrams, ensuring that while the process is visible, the sensitive information is not.`
			`Secrets are only used in service tasks.`
Adding content for features (#481) 2023-09-12 16:43:49 +00:00
			`## Roles and Permissions`

			`- SpiffArena Admin: Can add or configure secrets.`
			`- External Service Admin: For example, an admin in Bamboo HR can provide the API key that a SpiffArena admin would then configure as a secret.`
			`- Diagram Author: Can reference secrets in service tasks but cannot see the actual secret values.`
			`---`

			`## How to Configure Secrets`

			`### Adding a New Secret`

Proofread docs (#1300) * proofread docs * proofreading docs * remove trailing whitespace * tweak * clarify sartography role * restore quick start and faq content * few fixes * Apply suggestions from code review Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * consistent use of SpiffArena --------- Co-authored-by: burnettk <burnettk@users.noreply.github.com> Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> 2024-03-29 19:12:32 +00:00			`1. Navigate to the Configuration Section: Go to the configuration section from the top panel and click on "Add a secret". Ensure you have admin access to SpiffArena.`
Adding content for features (#481) 2023-09-12 16:43:49 +00:00			`![Configuration Section](images/Secrets_step_1.png)`

			`2. Add New Secret: Create a new secret by entering a key and its corresponding value. Once saved, the value will be encrypted.`
			`![Secrets Section](images/Secrets_step_2.png)`

			`### Using Secrets in Service Tasks`

Proofread docs (#1300) * proofread docs * proofreading docs * remove trailing whitespace * tweak * clarify sartography role * restore quick start and faq content * few fixes * Apply suggestions from code review Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * consistent use of SpiffArena --------- Co-authored-by: burnettk <burnettk@users.noreply.github.com> Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> 2024-03-29 19:12:32 +00:00			`1. Open the BPMN Diagram: Open the diagram where you want to configure the service task.`
Adding content for features (#481) 2023-09-12 16:43:49 +00:00
Proofread docs (#1300) * proofread docs * proofreading docs * remove trailing whitespace * tweak * clarify sartography role * restore quick start and faq content * few fixes * Apply suggestions from code review Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * consistent use of SpiffArena --------- Co-authored-by: burnettk <burnettk@users.noreply.github.com> Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> 2024-03-29 19:12:32 +00:00			`2. Configure Service Task: Click on the service task you want to configure and in the service properties panel, search for the Operator ID that you want to add a secret for and mention the response variable to capture the result of the request.`
Adding content for features (#481) 2023-09-12 16:43:49 +00:00
			`3. Add Secret Reference: In the parameters, you can reference the secret using the following format:`

			```xml
			`spiffworkflow:parameter id="headers" type="any" value="{ "Authorization": "Bearer SPIFF_SECRET:github_oauth" }"`
			```

			Here, `SPIFF_SECRET:github_oauth` will be replaced by the actual, unencrypted value from the database when the service task runs.
			`![Secrets Configuration](images/Secrets_configure_2.png)`
			`---`

Ventilate prose (#1305) * ventilate prose * ventilate all the things --------- Co-authored-by: burnettk <burnettk@users.noreply.github.com> 2024-04-01 14:17:38 +00:00			`Configuring secrets in SpiffArena provides a secure way to handle sensitive information in your BPMN diagrams.`
			`It allows you to make your processes public without exposing critical data, thereby enhancing both transparency and security.`