janus/secrets

A component for managing application secrets with a layered lookup chain and AWS Secrets Manager integration.

Setup

Add the dependency:

;; deps.edn
{janus/secrets {:mvn/version "..."}}

Require the API namespace:

(require '[janus.secrets.api :as secrets])

Lookup Chain

When resolving a secret via secrets/get, the following sources are checked in order. The first non-nil value wins:

Java system property
Environment variable
.env file (same key as the env var)
AWS Secrets Manager

Naming Conventions

A secret id is a qualified keyword, e.g. :cloudflare/api-token. Each tier derives its key from the id automatically:

Tier Pattern Example

Tier	Pattern	Example
System property	`janus.<ns>.<name>`	`janus.cloudflare.api-token`
Environment variable	`JANUS<NS><NAME>`	`JANUSCLOUDFLAREAPI_TOKEN`
`.env` file	same as env var	`JANUSCLOUDFLAREAPI_TOKEN`
AWS Secrets Manager	`<ns>/<name>`	`cloudflare/api-token`

System property

janus.<ns>.<name>

janus.cloudflare.api-token

Environment variable

JANUS<NS><NAME>

JANUSCLOUDFLAREAPI_TOKEN

.env file

same as env var

JANUSCLOUDFLAREAPI_TOKEN

AWS Secrets Manager

<ns>/<name>

cloudflare/api-token

API Reference

`get`

(secrets/get :cloudflare/api-token) ;; => "sk-..." or nil

Looks up a single secret by qualified keyword id using the lookup chain above. Returns the string value or nil. Throws on AWS errors other than not-found.

`fetch-remote`

(secrets/fetch-remote [:cloudflare/api-token :db/password])
;; => {:cloudflare/api-token "sk-..." :db/password "hunter2"}

Batch-fetches secrets from AWS for a seq of qualified keyword ids. Returns a {kw value} map, or an anomaly.

`store-remote`

(secrets/store-remote :cloudflare/api-token "sk-...")

Stores a secret in AWS Secrets Manager. Creates it if it doesn’t exist, updates it otherwise. Returns the AWS response or an anomaly.

`write-dotenv`

(secrets/write-dotenv ".env" {:cloudflare/api-token "sk-..." :db/password "hunter2"})

Merges secrets into a .env file. Keys are converted to env var format automatically.

CLI Tool

The secrets tool provides command-line access to secret management.

Invocation

clojure -A:secrets <command> <args>

`fetch`

Fetches secrets from AWS and writes them to .env:

clojure -Т:secrets fetch :secrets '[:cloudflare/api-token :db/password]'

`store`

Stores a secret in AWS Secrets Manager (prompts for the value securely):

clojure -Т:secrets store :secret :cloudflare/api-token

AWS Authentication

You must be authenticated with AWS before using remote operations.

# Log in via SSO
aws sso login

# Or specify a profile
AWS_PROFILE=my-profile clojure -Т:secrets fetch :secrets '[:cloudflare/api-token]'

The standard AWS credential chain applies: environment variables, profiles, IAM roles, etc.