Trouble injecting PEM formatted Apple private key into Krat Ory Community #ory-selfhosting

Trouble injecting PEM-formatted Apple private key ...

wooden-cartoon-49455

05/22/2025, 10:58 AM

Trouble injecting PEM-formatted Apple private key into Kratos via Terraform + secrets.yaml Hey folks 👋 We're integrating Apple SSO in ORY Kratos and trying to inject the

apple_private_key

securely using our

secrets.yaml

file, which is managed by Terraform and encrypted via SOPS + Azure Key Vault. We store the key like this in `secrets.yaml`:

Copy code

Apple--Oidc--PrivateKey: |-
  -----BEGIN PRIVATE KEY-----
  MIIFakeKEYDontUseThisValue123456ABCDEF==
  MoreFakeBase64LinesHereJustToSimulateStructure==
  -----END PRIVATE KEY-----

Then in

kratos.yaml

, we try to reference the key using a Terraform-injected variable:

Copy code

apple_private_key: |+
  ${apple_oidc_private_key}

Here,

${apple_oidc_private_key}

is a Terraform variable whose value is read from

Apple--Oidc--PrivateKey

. We've also tried these variations: • |- • |+ • | •

apple_private_key: ${apple_oidc_private_key}

(no block scalar) •

apple_private_key: base64://...

(using a stripped + inlined Base64 string) However, Kratos either fails to start or throws PEM parsing errors

Copy code

{
  "error": {
    "code": 500,
    "status": "Internal Server Error",
    "message": "failed to decode PEM block containing private key"
  }
}

And inside of kubernetis pod in the .yaml and value looks like this (without indentions)

Copy code

apple_private_key: |+
-----BEGIN PRIVATE KEY-----
MIIFakeKEY...
-----END PRIVATE KEY-----

wooden-cartoon-49455

05/22/2025, 11:31 AM

The solution is

Copy code

apple_private_key: |-
              -----BEGIN PRIVATE KEY-----
              ${apple_oidc_private_key} // base64
              -----END PRIVATE KEY-----

Open in Slack

Previous Next