Using Keepers Secrets Manager to store your Heroku application sensitive secrets.
Securely store secret credentials in the Keeper Vault and use them in Heroku without exposure
Copy files from the Keeper vault into your Heroku Apps
Utilize other Secrets Manager SDK features (such as record creation and TOTP codes) from Heroku
For a complete list of Keeper Secrets Manager features see the Overview
Heroku offers the ability to store configuration variables for your application. The problem is it stores the values in a viewable format. Keeper Secrets Manager allows you to store your sensitive secrets offsite in a zero knowledge environment.
The Keeper Secrets Manager SDK can be used with Heroku
See the example project below to get an idea of the capabilities of Keeper Secrets Manager with Heroku
This example uses the Keeper Secrets Manager SDK to retrieve a webhook token to send messages to a channel in Slack from a Heroku web application.
The first step is getting a webhook token from your instance of Slack. Login into the Slack website and go to Your Apps.
Create a new app by clicking the Create New App button and selecting From scratch from the dialog box. At this point enter an App Name and select the workspace you want to develop your app in.
Next click the Incoming Webhooks button.
Turn On the Incoming Webhooks. This will show the Webhook URLs for Your Workspace section. Click the Add New Webhook to Workspace button.
Then select a channel in your workspace.
Now at the bottom of the Incoming Webhooks page, there will be a Webhook URL. For this example, Copy the url. This will be placed in Keeper Vault record.
In the Keeper Vault create a Login record to hold the Slack Webhook URL in the Shared Folder. The Shared Folder can be added used by an Application. Reference the Quick Start Guide for more details.
Copy the Webhook URL into the Website Address field of the Login record and save. Once saved click on the information icon, , of the record to see the Record UID. You can copy a Record UID URL into the clipboard which will contain the actual Record UID. You only need that part of the URL.
For this example, a Heroku account and Python 3 are requiered. The next step is to install the Heroku CLI following their instructions.
With the Heroku CLI installed an application can be created.
The generated name of your application will be different than in this example.
That will create a blank Git repository that will be used for the application. The Git repository can then be cloned. There will be a warning about it being empty. After that change into the repository directory.
With the repository cloned, the config variables can be set. There are two config variables that need to be set. The first is RECORD_UID which the Record UID of the record that contains the Webhook URL. The second is KSM_CONFIG which contains the Base64 encoded Secrets Manager configuration.
See the Configuration documentation for details on creating a Base64 configuration
With the configuration variables in place, the application can be added. The first step is to defined the requirements for the Python 3 application. The requirements.txt file contains Flask used for the website, slack_sdk used to communicate with Slack, and keeper-secrets-manager-core to communicate with Secrets Manager.
In your preferred editor save the contents of the following to app.py.
This is a simple Flask web application that will display a form input box and a submit button. Any text entered into the input box will be sent to your Slack channel.
The last part is to give Heroku information on how to start your application using the Procfile file.
Now the application is ready to be run. Add the file it your the Git repository and push the main branch. This will build and launch the application.
At this point you can visit the web site by either going to the URL, i.e. https://random-name-30564.herokuapp.com/
, or by using the following command line.
This will display a simple web site. Enter a message and click submit.
The message should appear in the channel for the created Webhook.