Passwords and Secrets

Note

Never put a password, API key, or other credential in a job submission in plain text. Define it once as an organizational secret under Secrets in the VTK web UI and reference it from any task parameter.

Note

You need admin privileges within your organization to set up an organizational secret.

Referencing a secret

Any string parameter accepts the {secret-name} syntax. At job execution time, the runner substitutes the secret value before the tool sees it; the substituted value never appears in logs or in the job body returned by the API.

{
    "tool": "shaka:package_dash",
    "parameters": {
        "asset_id": "demo_{job_id}",
        "environment": "STAGING",
        "merchant": "acme",
        "user": "acme::ops",
        "password": "{acme-drmtoday-password}",
        "drmkeys": [
            { "key_label": "video_key", "key_streamtype": "VIDEO" },
            { "key_label": "audio_key", "key_streamtype": "AUDIO" }
        ]
    }
}

Here {acme-drmtoday-password} is a secret created under Secrets in the VTK web UI, with the DRMtoday user’s password as its value. The secret name is whatever you set in the UI — kebab-case is the convention.

The same pattern is used for AWS access keys inside an S3 URL. s3://{acme-aws-access-keys}@acme-bucket/in/ resolves the access keys from the secret named acme-aws-access-keys.

Naming conventions

• Secret names: kebab-case (acme-drmtoday-password, acme-aws-access-keys).

• Inside any string parameter: wrap the name in curly braces — {acme-drmtoday-password}.

• Inside an S3 URL: place the credentials secret before the bucket separated by @ — s3://{secret-name}@bucket/path.

See also

• Quickstart Example B — the full DRM-encrypted DASH job that uses this secret pattern.

• Security → IAM — using IAM role assumption instead of access-key secrets for S3.

Next topic: DRMtoday

Previous topic: Credential dispenser