Access different pack configs in common pack

I am trying to build a central (common) pack which contains some common actions eg.

  1. Get Data from Postgres
  2. Get Data from some API call

These are generic actions and these require configs for them to run. Eg. Postgres requires host, port, username, password, db. These configs are stored in different packs for different tenants. Each tenant has its own pack and each tenant will have its configs.

I want to reuse the common actions instead of adding these everytime to each tenant. I want one common pack which will hold the common actions and based on the tenant context or pack (tenant) name it will fetch the configs from that pack.

I have been struggling a lot to do this, unfortunately the only way I found was to duplicate these common actions across tenant packs. Is there any other way to do it?

You best bet it likely to just make all the actions in the common pack accept the credentials passed in a input to the action and then store all the credentials in the keystore in a format that matches what needs to be passed to the actions. The keystore names and be tied to the packname of the individual tenets and then you can reuse the workflows that will extract the Postgres credentials from the keystore and then use them as input to the common Postgres action. This workflow (or at minimum the first 2 tasks) can then be replicated as needed in each of the tenants.

In a workflow, you can reference the name of a pack with the following context call:

<% ctx().st2.pack %>

And you can combine that with a common name structure used across all tenants to access the key specific to the client/tenant pack that stores the credentials with a task like the following in a workflow:

get_tenant_creds:
    action: st2.kv.get_object
    input:
      key: <% 'POSTGRES___' + ctx().st2.pack %>
    next:
      - when: <% succeeded() %>
        publish: 
            - postgres_creds: <% result().result %>

With this, you can then access the credentials in using the variable name set in the publish:

<% ctx().postgres_creds %>

We allow users to create workflow and actions. So storing in KV is not a good approach for us since anyone can update KV from the action.

Currently we have decided to move with API Key and storing everything in meta as encrypted. Let me know if there is a better approach