External Values

You can inject external values into the configuration file. This can for example be secrets from environment variables, or from AWS Secrets Manager.

Environment Variables

The simplest way to use an environment value in the configuration is to just use an environment variable with the name of the entry in the configuration file that you want to replace. The name of the environment variable should be upper case with _ separating each word.

An example, suppose you want to set the EncryptorMasterPassword in the [Database] section. You will then need to set the environment variable ENCRYPTOR_MASTER_PASSWORD. If you run the MPC node in a docker container, you can for example set the environment variable in a docker compose file:

services:
  tsm_node:
    image: nexus.sepior.net:19001/tsm-node:latest
    environment:
      ENCRYPTOR_MASTER_PASSWORD: "Password123!"

Alternatively, you can use the env tag in your MPC node configuration file:

[Database]
  EncryptorMasterPassword = "{{ env `MY_PASSWORD` }}"

The MPC node will then use the value of the environment variableMY_PASSWORD as the encryptor master password.

All environment variable replacements take place at once, when the MPC node starts up. If the value of an environment variable is later changed, this will not affect the MPC node, unless it is restarted.

AWS Secrets Manager

You can also inject secrets from AWS Secrets Manager using a syntax like this:

[Database]
  EncryptorMasterPassword = "{{ aws `prod/encryptor-master-password` `eu-central-1` }}"

The MPC will then replace this with the secret named prod/encryptor-master-password fetched from AWS SecretsManager in the AWS region eu-central-1. You can inject multiple secrets into the config file like this, but they must all fetch secrets from the same AWS region.

As with environment variables, this replacement happens once, when the MPC node starts up. If the secret is recycled in the AWS Secrets Manager, this does therefore not affect the MPC node until it is restarted.

For the injection from AWS Secrets Manager to work, the MPC node must be allowed to perform the IAM action secretsmanager:GetSecretValue on each of the secrets, for example by running the MPC node on an AWS EC2 instance that is assigned an IAM role with this permission.

IAM Database Authentication

If your MPC node uses an AWS RDS PostgreSQL, MariaDB or MySQL database for storage, you can optionally configure the MPC node to use IAM Database Authentication. This is done using the iam tag in the MPC node configuration file as in this example:

[Database]
  DriverName = "mysql"
  DataSourceName = "{{ iam mysql `dbuser` `my-rds.cf4m8zm7yt0e.eu-central-1.rds.amazonaws.com:3306` `db` `eu-central-1` }}"

In this example, the MPC node uses a MySQL RDS instance for storage. The database name is db and the database user is dbuser, and the RDS instance is located in the AWS region eu-central-1 and is reachable at my-rds.cf4m8zm7yt0e.eu-central-1.rds.amazonaws.com, port 3306. The MPC node will replaced this by a RDS IAM token requested for the given RDS database.

If your RDS instance is running PostgreSQL or MySQL, you can replace mariadb with postgres or mysql.

Unlike the env and aws tags which are replaced once, when the MPC node starts up, the iam tag causes the MPC node to request a new IAM authentication token each time it creates a new database connection. If you combine this with the ConnectionMaxLifetime as in the following example, this will ensure that the MPC node refreshes its RDS IAM tokens at least every 10th minute.

[Database]  
  DriverName = "postgres"  
  DataSourceName = "{{ iam postgres `my_db_user` `my_rds.cf4m8zm7yt0e.eu-central-1.rds.amazonaws.com:5432` `my_db` `eu-central-1` }}"  
  ConnMaxLifetime = "10m"

In order for the iam tag to work, the MPC node must be allowed to perform the IAM action rds-db:connect
for the given RDS database user and database. This can for example be done by running the MPC node container on an EC2 instance that is assigned an IAM role with this permission. In addition, the database user must be granted special rights in the database. You can read more about how to set this up in the AWS IAM Database Authentication documentation.