Managing secrets

Learn how to create and edit secret environment variables for your Release environments

Secret environment variables allow your environments to securely access passwords, API keys, and other sensitive information.
Secrets differ from other environment variables in two ways:
Secrets are encrypted and saved in a vault.
Secrets are always hidden from Release's interface.
Secrets can be created and updated using Release's YAML editor. If you are using GitOps, you can check the keys for your secrets in along with the rest of your environment variables and code, and then define the values using the UI, keeping your secrets separate from your code.
How to create secret environment variables in Release
As with all environment variables, secret environment variables can be added by editing an app's default environment variables, or by editing an environment's environment-specific environment variables.
1.In Release, edit the environment variables:
1.To add application-specific secrets that apply as defaults to all new environments, navigate to the App Settings page. Click the Edit button in the “Default Environment Variables” section.
2.To add environment-specific secrets, navigate to the environment's Settings page. Click the Edit button in the “Environment Variables” section.
2.Add secret: true to the environment variable's declaration.
3.Click Save as new version to save your changes.
Adding a secret environment variable
Release will now encrypt and save the secret in the vault.
How to edit secret environment variables in Release
Unlike other environment variables, secret values are always hidden in Release's YAML editor.
To edit an existing secret, add a value field with your new value.
1.In Release, edit the environment variables:
1.To edit application-specific secrets that apply as defaults to all new environments, navigate to the App Settings page. Click the Edit button in the “Default Environment Variables” section.
2.To edit environment-specific secrets, navigate to the environment's Settings page. Click the Edit button in the “Environment Variables” section.
2.Add a value field to the environment variable's declaration.
3.Add the new secret value to the value field.
4.Click Save as new version to save your changes.
Editing a secret environment variable
Release will now encrypt and save the updated secret in the vault.
How to apply updated secrets to an environment in Release
If you are editing an environment-specific secret, a further step is required before applying your new configuration.
Before Release compares a new configuration to the previous version, secrets are removed from the YAML files. This means that from Release's point of view it may look like nothing has changed, even though the secret value saved in the vault has changed.
To make sure Release knows you've changed a secret, add or change any non-secret environment variable. For example, add a new environment variable with key SECRET_CHANGED and increase its value by 1 every time you change a secret.
Once you're done editing your environment-specific environment variables, click the Apply button in the “Apply Latest Configuration” section.
Release will now re-deploy this environment with updated environment variables.
How to manage secrets when using GitOps
If your Release account has GitOps enabled, you can edit environment variables by checking a .release/environment_variables.yaml file into your repository.
Even when using GitOps, you still have the option to manage secrets using the Release YAML editor.
When GitOps triggers a new deployment, and a secret's value in your .release/environment_variables.yaml file is not left blank, this value will replace any value you may have previously set for this secret in Release's YAML editor.
To avoid confusion, it is recommended that you choose only one of the following options for managing secrets in your GitOps-enabled environments:
GitOps option 1: Manage secrets via Release (recommended for security)
If you follow best practices and prefer not to commit secrets in Git, leave the value field blank for secret environment variables in your .release/environment_variables.yaml file:
# .release/environment_variables.yaml abridged
# Note DB_PASSWORD value is left blank
# Add a value to DB_PASSWORD in Release environment
services:
  web:
  - key: DB_PASSWORD
    value:
    secret: true
  - key: DB_USERNAME
    value: this-is-not-a-secret
You can then edit secrets by following the steps under How to edit secret environment variables in Release above.
GitOps option 2: Manage secrets via source code (not recommended for any sensitive secrets)
If you choose to manage secrets in your repository, set the value field for secrets in your .release/environment_variables.yaml file:
# .release/environment_variables.yaml abridged
# Note DB_PASSWORD value is saved in this file
services:
  web:
  - key: DB_PASSWORD
    value: this-secret-set-via-source
    secret: true
  - key: DB_USERNAME
    value: this-is-not-a-secret
A secret's value will still always remain hidden in Release's YAML editor, even if managed via source.
GitOps secret hidden
How to access secrets from your app
Secret environment variables can be accessed just as you would access any other environment variable.
For example, access a secret environment variable from Python with os.environ:
import os
password = os.environ.get('DB_PASSWORD')
To view secret environment variables in the terminal for debugging, open a terminal for a running instance, and print the secret value using echo $DB_PASSWORD.

Secret vaults

Next - Reference documentation

Environment expiration

Last modified 1mo ago