Dependencies

• Install the Metaplay CLI — You need the Metaplay CLI tool to manage Kubernetes secrets.

Key Concepts

Secrets are objects that store confidential data, such as passwords or API keys, for use in the game server. They help keep sensitive data separate from application code.

Overview

This guide walks you through creating your first secret in a cloud environment and using it in your game server.

Create a Secret

First, create a secret in your environment using the Metaplay CLI to store credentials for an imaginary service with the name user-some-credentials. The secret contains two named entries: username and password, each with its own value.

For demonstration purposes, the username is specified directly on the command line and the password from a file.

# Here we're creating a secret named user-some-credentials on the my-environment environment with keys username and password
MyProject$ metaplay secrets create my-environment user-some-credentials --from-literal=username=myusername --from-file=password=password.txt

Kubernetes secrets can contain multiple named entries. This is useful for grouping several related secret values in a single secret object.

💡 Note

Secret names must begin with the user- prefix to ensure they do not clash with any built-in secrets in the environment.

Access the Secret

To access the secret from your game server code, you'll need to add it to your runtime options.

Options.<env>.yaml

MySecret:
  # The 'kube-secret://' prefix indicates that the value should be resolved from the Kubernetes secret.
  # Note that you must refer to the secret with both the secret and key name, using the special syntax.
  PasswordSecretPath: "kube-secret://user-some-credentials#password"

This example only reads the password from the secret, but you can read any other entry as well.

Then, you can resolve the password secret value in your game server code.

[RuntimeOptions("MySecret", isStatic: false, "")]
public class MySecretOptions : RuntimeOptionsBase
{
    // PasswordSecretPath is the path to the password secret, defined in Options.yaml.
    [MetaDescription("The path to the password secret.")]
    public string PasswordSecretPath { get; private set; } = null;

    // This is the resolved value for the password. The attributes prevent the value from being logged.
    [IgnoreDataMember, Sensitive]
    public string ResolvedPassword { get; private set; }

    ...

    public override async Task OnLoadedAsync()
    {
        // Resolve the value for the password from the Kubernetes secret.
        ResolvedPassword = await SecretUtil.ResolveSecretAsync(Log, PasswordSecretPath).ConfigureAwait(false);
    }
}

Managing Secrets

Besides creating Secrets, the Metaplay CLI also provides some utilities to list, delete and show Secrets.

MyProject$ metaplay secrets show my-environment user-some-credentials
MyProject$ metaplay secrets delete my-environment user-some-credentials
MyProject$ metaplay secrets list my-environment

💡 Note

To update a secret, you must first delete the existing secret and then create it again. We'll add an update command in the future.

Programmatic Use

The CLI supports showing the secrets in JSON format, which can be useful for programmatic use.

For example, you could use the following to extract a value from a secret into an environment variable:

MyProject$ PASSWORD=$(metaplay secrets show my-environment user-some-credentials --format=json | jq -r .data.password)

Further Reading

You can get more details about the available CLI secrets management commands with metaplay secrets --help and then for each individual command with, e.g., metaplay secrets list --help.