The FaaS Secrets Storage allows you to centrally store, access and distribute secrets across your lambdas. Thereby, lambdas can use available access tokens, certificates and encryption keys to establish a connection to external systems.

Note: It is recommended to always use access tokens for authentication to external services. Never store user-credentials within the FaaS Secrets Storage.

Internally, FaaS uses HashiCorp Vault to encrypt your secrets using a 256-bit AES cipher in GCM mode with a randomly generated 96-bit nonce before writing them to its persistent storage.

Secrets can be maintained via the Settings tab as a key/value storage. Each value can be of type number, string or JSON.

Based on the permission concept for FaaS, the following permissions for managing and using secrets can be configured across different users.

User Role User Permission
FaaS-Admin Use this permission sparsely in order to keep the management of the secrets more restrictive and dedicated to a single user. Only the FaaS Admin is able to create, edit, delete & read a secret.
FaaS-Developer This user is only able to use all available secrets within functions via each secret's unique key.

Within lambdas, the Toolbelt offers a convenient way of reading and updating secrets at runtime. See this document for further details.