Skip to main content
Version: ACE 5

Config sources

VERSION 25.5

This information is only applicable from version v25.5.x and up

Supported providers

ACE enables you to configure various providers for retrieving variables - this applies both for variables used to configure ACE services, as well as variables used in your workspace (e.g. $env.MY_VARIABLE in flows).

Currently supported variable providers are:

  • env - Environment variables
  • azure - Azure key-vault secrets

Configuration

The configuration described in this section can only be retrieved from environment variables, whereas the rest of the configuration can come from various providers.

  • ACE_CONFIG_SOURCE (default: env) - Comma separated list of one or more providers to be used for retrieving variables. If a variable exists in multiple providers, the right-most provider takes precedence.

Azure provider

info

ACE configured to use ACE_CONFIG_SOURCE=azure requires permission to Get, List key-vault secrets.

Azure key-vault provider

  • ACE_AZURE_KEY_VAULT_URL (required) - Specifies URL of the key-vault to be used.
  • ACE_AZURE_KEY_VAULT_PREFIX - Specifies secret keys should be searched based on prefix in the key-vault.

ACE uses the official @azure/identity npm library with DefaultAzureCredential, which specifies it's own ENV variables for configuring the key-vault - find further configuration here.

Azure naming limitations

Azure key-vault limits secret names to contain dashes. For this reason, ACE does a basic mapping when retrieving secrets from azure by mapping all dashes (-) to underscores (_).

Example: The key-vault secret REDIS-CACHE-KEY will be retrieved by ACE as REDIS_CACHE_KEY.

Practical example

Let's assume the following configuration is set:

ACE_CONFIG_SOURCE=env,azure
ACE_AZURE_KEY_VAULT_PREFIX=MY-ENV-
ACE_AZURE_KEY_VAULT_URL=<azkv-url>
# Envs expected by DefaultAzureCredential (@azure/identity)
AZURE_TOKEN_CREDENTIALS=prod
AZURE_TENANT_ID=<secret>
AZURE_CLIENT_ID=<secret>
AZURE_CLIENT_SECRET=<secret>

And let's assume these are the contents of each provider:

Environment (ACE_CONFIG_SOURCE=env)
ACE_SECRET_ENCRYPTION_KEY=KEY_1
EXTERNAL_SERVICE_URL=URL_1
Azure key-vault secrets (ACE_CONFIG_SOURCE=azure)
MY-ENV-ACE-SECRET-ENCRYPTION-KEY=KEY_2
# Notice: this variable does not have the expected `MY-ENV-` prefix, so it will not be resolved. 
EXTERNAL-SERVICE-URL=URL_2

ACE would resolve the variables as such:

  • ACE_SECRET_ENCRYPTION_KEY as KEY_2.
    Variable is defined in both env and azure, but azure is higher priority because it appears last in ACE_CONFIG_SOURCE list.
  • EXTERNAL_SERVICE_URL as URL_1.
    Variable is only defined in env, and is the only place it can be resolved from.