Secret retrieval during runtime in payload v2

[jkauppinen]

In payload v1 we retrieved secrets from Azure Key Vault before starting payload in server.ts

  let mongoUri = "";
  let payloadSecret = "";

    // In production we store secrets to Azure Key Vault
    if (process.env.NODE_ENV === "production") {
      const credential = new ManagedIdentityCredential(
        process.env.AZURE_CLIENT_ID
      );
      const secretClient = new SecretClient(
        process.env.KEY_VAULT_URI,
        credential
      );
      mongoUri = (await secretClient.getSecret("mongoConnectionString")).value;
      payloadSecret = (await secretClient.getSecret("payloadSecret")).value;
    } else {
      mongoUri = process.env.MONGODB_URI;
      payloadSecret = process.env.SECRET;
    }
    await payload.init({
      secret: payloadSecret,
      mongoURL: mongoUri,
      express: app,
    });

This worked very nicely. In payload v2 the configuration of database is moved to payload.config.ts:

  db: mongooseAdapter({
    url: process.env.MONGODB_URI,
  }),

This complicates the setup and breaks our existing model, as we don't want to store secrets in environment variables in production.
Couple of questions:

• Does payload need the db uri during build?
• Can we inject the uri to our environment after payload's build and payload will respect the new value?
• What is the recommended solution in v2 for injecting secrets that are required for configuration?

[DanRibbens]

Hi @jkauppinen,

I think this PR might help you with part of problem: #4028.
Once this is released you shouldn't need to connect to the DB in order to build your project.

You have some flexibility on how you start Payload.
You can pass the config in toi the init options:

// server.ts
const start = async () => {
  app.use('/assets', express.static(path.resolve(__dirname, './assets')))

  // Initialize Payload
  await payload.init({
    config,
    express: app,
    onInit: async () => {
      payload.logger.info(`Payload Admin URL: ${payload.getAdminURL()}`)
    },
    secret: process.env.PAYLOAD_SECRET,
  })

  // Add your own express routes here

  app.listen(3000)
}

// payload.config.ts
export const config: Config = async () => {
  const secrets = await getSecrets();
  return {
    db: mongooseAdapter({
      url: secrets['DB_URL'],
    }),
    editor: lexicalEditor(),
  }
  // the rest of the config....
}

I haven't tried it, but I think this should give you what you need.

[jkauppinen]

Hey @DanRibbens , glad to hear you are working on removing the DB dependency from build.

payload init options expects Promise<SanitizedConfig>. Are there any examples in your codebase for creating SanitizedConfig "manually" for init? Just chaining a function that creates Config and buildConfig (which creates Promise<SanitizedConfig> from Config) did not work for me as I get runtime errors from payload, but I'm sure there is a better way.