Skip to main content

Hi, there are quite some environment-dependent configurations and secrets (database passwords, API keys) that are required for running AIMMS apps. Currently, I see modelers:

  • Storing those secrets unencrypted in the AIMMS Central Storage. This is obviously not very secure.  
  • Including those secrets in their AIMMSpack. This has the downside that you need to create separate AIMMSpacks for test & production environments, which I would consider a bad practice. Furthermore, in this situation you cannot create an AIMMSpack based on your git repo: you also need files outside of that repo (since secrets shouldn't be in git). This is risky and might (at some point) also hinder CI/CD practices.

It would be nice to have a proper way to store secrets and configurations. For example, with Azure Key Vault (or something similar).

Again Sander, thanks for bringing this up. It is not the first time we hear about it. We will also look into this one, exploring what options we have. 

I was assuming that with a trend towards 'bring your own ID/authorization’, the need to store secrets would eventually get less. But that assumption might be wrong. 

Regards,

Jan-Willem

Just an update: We have started refining this and look for options. We wrote the following, sofar:

Enabling our app developers (=customers) to store app-related secrets on our cloud platform: probably a technical solution and user documentation.

Typical use cases: database credentials, storage access keys.

Requirements:

  1. AIMMS running inside a pod can retrieve a secret needed by the app
  2. CRUD on secrets
  3. Must-have: at cloud customer account level
  4. Could-have: at application-role level (later)

 

Possible solution 1:

  1. Key Vault per cloud customer account
  2. Managed Identity per cloud customer account
  3. K8s Service Account to which the Managed Identity is linked through an environment variable
  4. This will give the pod API access to the Key Vault
  5. Provide an AIMMS library for Key Vault access

Possible solution 2:

  1. Store customer-account-specific JSON files with secrets into our ‘central’ Key Vault
  2. Provide that JSON file as environment to the application running inside the pod
  3. Provide to app developers an API for CRUD on application secrets

Next step is technical refinement/design and then estimation of the effort required. But please let us know what you think sofar.

Jan-Willem

NewOn Backlog

Hi Jan Willem, thanks for the update. For me, this request is (functionally) linked to this request: 

For that to succeed, I think that also the application level is needed (not only customer account level). (And indeed, application + role level would even be nicer.)

The technical implementation is outside of my area of expertise, so I’ll leave that up to you. 

 

You may well be right Sander. Thanks.

Jan-Willem

Sander, this item is on our ‘workbench’, trying to come up with a design, amidst some other projects.

Jan-Willem

Latest update: this has been planned for the current Program Increment, expecting a release in Q2 2025.

Terms & Conditions

Didn't find what you were looking for? Try searching on our documentation pages:

AIMMS Developer & PRO | AIMMS How-To | AIMMS SC Navigator