Spin secrets providers

[radu-matei]

Say my applications needs a secret in order to perform some operation. This can be a database connection string, an access key for a storage account, or a certificate file needed to connect to some server.

Right now, the only way to get this into a Spin application is either through an environment variable, or through a file.
Let's explore these one at a time:

• environment variables: they have to either be specified directly in spin.toml, or they must be passed as a flag when running with spin up.
• files: they have to be present locally when running spin up from a local directory, or they must be distributed using Bindle.

Realistically, none of these really satisfy real use cases.
Ideally, I would like to reference a secret value or file in my spin.toml, then rely on something to make that value available for me at runtime:

[[component]]
...
files = [ "content/**/*" , "templates/*", "scripts/*", "config/*"]
secrets = [ { reference = "SECRET_FROM_STORE", file = "/file/to/map/in/wasm" }, { reference = "ANOTHER_SECRET", env = "ENVIRONMENT_VARIABLE_WITH_SECRET } ]

At runtime, the secret store configured for this component MUST contain the secrets referenced, otherwise the component instantiation will fail.

Implementations for secrets providers could include reading the secrets from a file (suitable for local development), or reading from a service like Vault (or your favorite cloud secrets store).

[lann]

I like the idea. Would it make sense to generalize it to "config provider" or something? The "slot that must be filled" concept seems like it would be useful beyond secrets.

[lann]

Any concern closing this in favor of #202?

[radu-matei]

Yeah, #202 does seem to supersede this.
Thanks!