Skip to main content
DeployStack provides a secure cloud credentials management system that allows teams to store and manage cloud provider credentials for deployments. This system features encryption, role-based access control, and provider validation.

Architecture Overview

The cloud credentials system consists of several key components:
  • Provider Configuration: Defines supported cloud providers and their required fields
  • Encryption Service: Handles secure storage of credential values
  • Validation System: Validates credential data against provider schemas
  • Role-Based Access: Different response formats based on user permissions
  • API Layer: RESTful endpoints for credential management

Database Schema

Team Cloud Credentials Table

Key Features

  • Team Isolation: Credentials are scoped to specific teams
  • Provider Support: Multiple cloud providers per team
  • Encrypted Storage: All credential values are encrypted
  • Audit Trail: Tracks creation and modification metadata
  • Unique Constraints: Prevents duplicate credential names per provider/team

Provider Configuration

Cloud providers are configured in services/backend/config/cloud-providers.ts:

Example Provider Configuration

Encryption System

Storage Format

Credentials are stored as encrypted JSON with metadata:

Encryption Process

  1. Field Validation: Validate against provider schema
  2. Individual Encryption: Each field value encrypted separately
  3. Metadata Storage: Include field type and timestamp
  4. JSON Serialization: Store as encrypted JSON string

Security Features

  • AES-256-GCM: Industry-standard encryption algorithm
  • Separate Keys: Encryption keys managed separately from data
  • Field-Level: Each credential field encrypted individually
  • No Plaintext: Credential values never stored in plaintext

Role-Based Access Control

The cloud credentials system uses team-contextual permissions rather than global permissions. For detailed role information and permission matrices, see Role-Based Access Control.

Access Levels

Key Security Features

  • Team Isolation: Users can only access credentials from teams they belong to
  • No Secret Exposure: Secret values are never returned in API responses
  • Role-Based Responses: API responses vary based on user’s role within the team
  • Global Admin Limitations: Even global admins cannot see credential values

API Implementation

Service Layer

The CloudCredentialsService provides the core business logic:

Route Implementation

Routes automatically detect user role and call appropriate service methods:

API Endpoints

List Cloud Providers

Returns available cloud providers with their field schemas.

List Team Credentials

Returns credentials list with response format based on user role.

Create Credentials

Update Credentials

Supports partial updates of name, comment, and credential values.

Delete Credentials

Permanently removes credentials from the team.

Validation System

Create vs Update Validation

The system provides two validation functions to handle different scenarios:

Full Validation (Create)

Partial Validation (Update)

Update Process

When updating credentials, the system:
  1. Validates only provided fields using validateCredentialDataForUpdate
  2. Retrieves existing credentials from encrypted storage
  3. Merges updates with existing values
  4. Re-encrypts the complete credential set
This allows partial updates without requiring users to re-submit secret values.

Validation Rules

  • Required Fields: Enforced based on provider configuration
  • Field Types: Text, password, textarea validation
  • Format Validation: Pattern matching, length constraints
  • Provider Schema: Validates against defined field structure
  • Partial Updates: Only validates fields being updated

Error Handling

Common Error Scenarios

Error Response Format

Security Considerations

Data Protection

  • Encryption at Rest: All credential values encrypted before storage
  • No Plaintext Logs: Credential values never logged in plaintext
  • Secure Transmission: HTTPS required for all API calls
  • Access Control: Role-based response filtering

Best Practices

  • Principle of Least Privilege: Users see only necessary information
  • Audit Logging: Track all credential operations
  • Regular Rotation: Encourage credential rotation
  • Secure Defaults: Safe fallbacks for all operations

Adding New Providers

1. Define Provider Configuration

Add new provider to cloud-providers.ts:

2. Update Provider Registry

Add to the providers array and export:

3. Test Integration

  • Validate field schemas work correctly
  • Test encryption/decryption of new field types
  • Verify API responses include new provider
  • Test credential creation and validation

Troubleshooting

Common Issues

Encryption Errors

  • Verify encryption service is properly configured
  • Check that encryption keys are available
  • Ensure proper error handling for encryption failures

Validation Failures

  • Check provider configuration matches expected format
  • Verify required fields are properly marked
  • Test validation rules with sample data

Permission Errors

  • Confirm user has required permissions
  • Check role assignments are correct
  • Verify middleware is properly applied to routes

Debug Commands

Performance Considerations

Optimization Strategies

  • Lazy Loading: Load provider configurations on demand
  • Caching: Cache provider configurations in memory
  • Batch Operations: Support bulk credential operations
  • Pagination: Implement pagination for large credential lists

Monitoring

  • API Response Times: Monitor credential API performance
  • Encryption Overhead: Track encryption/decryption performance
  • Database Queries: Optimize credential lookup queries
  • Memory Usage: Monitor provider configuration memory usage

Future Enhancements

Planned Features

  • Credential Sharing: Share credentials between teams
  • Expiration Dates: Set expiration dates for credentials
  • Usage Tracking: Track which deployments use which credentials
  • Backup/Restore: Export/import encrypted credential backups
  • Integration Testing: Test credentials against actual providers

Extension Points

  • Custom Providers: Plugin system for custom cloud providers
  • Validation Plugins: Custom validation rules for specific providers
  • Encryption Backends: Support for different encryption systems
  • Audit Plugins: Custom audit logging implementations