Managing secrets
Learn how to create and edit secret environment variables for your Release environments
Secret environment variables allow your environments to securely access passwords, API keys, and other sensitive information.
Secrets differ from other environment variables in two ways:
- Secrets are encrypted and saved in a vault.
- Secrets are always hidden from Release's interface.
Secrets can be created and updated using Release's YAML editor. If you are using GitOps, you can check the keys for your secrets in along with the rest of your environment variables and code, and then define the values using the UI, keeping your secrets separate from your code.
As with all environment variables, secret environment variables can be added by editing an app's default environment variables, or by editing an environment's environment-specific environment variables.
- 1.In Release, edit the environment variables:
- 1.To add application-specific secrets that apply as defaults to all new environments, navigate to the App Settings page. Click the Edit button in the “Default Environment Variables” section.
- 2.To add environment-specific secrets, navigate to the environment's Settings page. Click the Edit button in the “Environment Variables” section.
- 2.Add
secret: true
to the environment variable's declaration. - 3.Click Save as new version to save your changes.

Adding a secret environment variable
Release will now encrypt and save the secret in the vault.
Unlike other environment variables, secret values are always hidden in Release's YAML editor.
To edit an existing secret, add a
value
field with your new value.- 1.In Release, edit the environment variables:
- 1.To edit application-specific secrets that apply as defaults to all new environments, navigate to the App Settings page. Click the Edit button in the “Default Environment Variables” section.
- 2.To edit environment-specific secrets, navigate to the environment's Settings page. Click the Edit button in the “Environment Variables” section.
- 2.Add a
value
field to the environment variable's declaration. - 3.Add the new secret value to the
value
field. - 4.Click Save as new version to save your changes.

Editing a secret environment variable
Release will now encrypt and save the updated secret in the vault.
If you are editing an environment-specific secret, a further step is required before applying your new configuration.
Before Release compares a new configuration to the previous version, secrets are removed from the YAML files. This means that from Release's point of view it may look like nothing has changed, even though the secret value saved in the vault has changed.
To make sure Release knows you've changed a secret, add or change any non-secret environment variable. For example, add a new environment variable with key
SECRET_CHANGED
and increase its value by 1 every time you change a secret.Once you're done editing your environment-specific environment variables, click the Apply button in the “Apply Latest Configuration” section.
Release will now re-deploy this environment with updated environment variables.
If your Release account has GitOps enabled, you can edit environment variables by checking a
.release/environment_variables.yaml
file into your repository.Even when using GitOps, you still have the option to manage secrets using the Release YAML editor.
When GitOps triggers a new deployment, and a secret's value in your
.release/environment_variables.yaml
file is not left blank, this value will replace any value you may have previously set for this secret in Release's YAML editor.To avoid confusion, it is recommended that you choose only one of the following options for managing secrets in your GitOps-enabled environments:
If you follow best practices and prefer not to commit secrets in Git, leave the
value
field blank for secret environment variables in your .release/environment_variables.yaml
file:# .release/environment_variables.yaml abridged
# Note DB_PASSWORD value is left blank
# Add a value to DB_PASSWORD in Release environment
services:
web:
- key: DB_PASSWORD
value:
secret: true
- key: DB_USERNAME
value: this-is-not-a-secret
You can then edit secrets by following the steps under How to edit secret environment variables in Release above.
If you choose to manage secrets in your repository, set the
value
field for secrets in your .release/environment_variables.yaml
file:# .release/environment_variables.yaml abridged
# Note DB_PASSWORD value is saved in this file
services:
web:
- key: DB_PASSWORD
value: this-secret-set-via-source
secret: true
- key: DB_USERNAME
value: this-is-not-a-secret
A secret's value will still always remain hidden in Release's YAML editor, even if managed via source.

GitOps secret hidden
Secret environment variables can be accessed just as you would access any other environment variable.
For example, access a secret environment variable from Python with
os.environ
:import os
password = os.environ.get('DB_PASSWORD')
To view secret environment variables in the terminal for debugging, open a terminal for a running instance, and print the secret value using
echo $DB_PASSWORD
.Last modified 1mo ago