Secrets Management Guide
This document describes how secrets and environment variables are managed in toto-ai-hub.
๐ Pattern Overviewโ
All secrets follow a consistent pattern:
- Secrets are stored in Google Secret Manager
- Referenced in
apphosting.yamlusing thesecret:field - Accessed via
process.env.VARIABLE_NAMEin code - No hardcoded values - all sensitive data comes from secrets
๐ Current Secretsโ
Google AIโ
- Variable:
GOOGLE_AI_API_KEY - Secret Name:
toto-ai-hub-google-ai-key-v2 - Usage: Gemini API access
Firebase Service Accountsโ
-
Variable:
TOTO_APP_STG_SERVICE_ACCOUNT_KEY -
Secret Name:
toto-app-stg-service-account -
Usage: Access to toto-app-stg Firestore
-
Variable:
TOTO_BO_SERVICE_ACCOUNT_KEY -
Secret Name:
toto-bo-service-account -
Usage: Access to toto-bo Firestore (shared KB)
Instagram Basic Display APIโ
-
Variable:
INSTAGRAM_ACCESS_TOKEN -
Secret Name:
toto-ai-hub-instagram-access-token -
Usage: Instagram Basic Display API access token (global fallback)
-
Variable:
INSTAGRAM_USER_ID -
Secret Name:
toto-ai-hub-instagram-user-id -
Usage: Instagram user ID for Basic Display API (global fallback)
Instagram Web Scraping (Fallback)โ
-
Variable:
INSTAGRAM_USERNAME -
Secret Name:
toto-ai-hub-instagram-username -
Usage: Instagram bot account username for web scraping
-
Variable:
INSTAGRAM_PASSWORD -
Secret Name:
toto-ai-hub-instagram-password -
Usage: Instagram bot account password for web scraping
๐๏ธ Configuration Patternโ
In apphosting.yamlโ
env:
- variable: VARIABLE_NAME
secret: secret-name-in-secret-manager
availability:
- BUILD
- RUNTIME
In Codeโ
// Access secret via environment variable
const apiKey = process.env.GOOGLE_AI_API_KEY;
if (!apiKey) {
throw new Error('GOOGLE_AI_API_KEY not configured');
}
๐ Priority Orderโ
For guardian-specific credentials (like Instagram), the system uses this priority:
- Guardian-specific (from Firestore) -
guardian.instagramAccessToken - Global secret (from Secret Manager) -
process.env.INSTAGRAM_ACCESS_TOKEN - Fallback method (web scraping with login)
๐ Adding New Secretsโ
Step 1: Create Secret in Google Secret Managerโ
- Go to Google Cloud Console
- Select project:
toto-ai-hub - Click "CREATE SECRET"
- Enter secret name (e.g.,
toto-ai-hub-new-secret) - Enter secret value
- Click "CREATE SECRET"
Step 2: Add to apphosting.yamlโ
env:
- variable: NEW_SECRET_VARIABLE
secret: toto-ai-hub-new-secret
availability:
- BUILD
- RUNTIME
Step 3: Use in Codeโ
const secretValue = process.env.NEW_SECRET_VARIABLE;
if (!secretValue) {
console.warn('NEW_SECRET_VARIABLE not configured');
}
Step 4: Documentโ
Add the secret to this file (SECRETS_MANAGEMENT.md) under the appropriate section.
๐งช Local Developmentโ
For local development, secrets can be set in .env file:
GOOGLE_AI_API_KEY=your_key_here
INSTAGRAM_ACCESS_TOKEN=your_token_here
INSTAGRAM_USER_ID=your_user_id_here
Note: Never commit .env files to git. They are in .gitignore.
โ ๏ธ Best Practicesโ
- Never hardcode secrets - Always use environment variables
- Use descriptive secret names - Follow the pattern:
toto-ai-hub-{service}-{purpose} - Document all secrets - Keep this file updated
- Use guardian-specific tokens when possible - More secure than global secrets
- Log secret usage - But never log the actual secret values
- Validate secrets on startup - Fail fast if required secrets are missing
๐ Troubleshootingโ
Secret Not Foundโ
If you see errors like "Secret not found":
- Check Secret Manager - ensure secret exists
- Check
apphosting.yaml- ensure secret name matches - Check variable name - ensure it matches in code
- Redeploy - secrets are loaded at deployment time
Secret Not Accessibleโ
If secret exists but code can't access it:
- Check
availabilityinapphosting.yaml- should includeRUNTIME - Check variable name - must match exactly
- Check deployment logs - secrets are loaded during build/runtime