Search…
⌃K
Links

Managing secrets

Learn how to create and edit secret environment variables for your Release environments
Secret environment variables allow your environments to securely access passwords, API keys, and other sensitive information.
Secrets differ from other environment variables in two ways:
  • Secrets are encrypted and saved in a vault.
  • Secrets are always hidden from Release's interface.
Secrets can be created and updated using Release's YAML editor. If you are using GitOps, you can check the keys for your secrets in along with the rest of your environment variables and code, and then define the values using the UI, keeping your secrets separate from your code.

How to create secret environment variables in Release

As with all environment variables, secret environment variables can be added by editing an app's default environment variables, or by editing an environment's environment-specific environment variables.
  1. 1.
    In Release, edit the environment variables:
    1. 1.
      To add application-specific secrets that apply as defaults to all new environments, navigate to the App Settings page. Click the Edit button in the “Default Environment Variables” section.
    2. 2.
      To add environment-specific secrets, navigate to the environment's Settings page. Click the Edit button in the “Environment Variables” section.
  2. 2.
    Add secret: true to the environment variable's declaration.
  3. 3.
    Click Save as new version to save your changes.
Adding a secret environment variable
Release will now encrypt and save the secret in the vault.

How to edit secret environment variables in Release

Unlike other environment variables, secret values are always hidden in Release's YAML editor.
To edit an existing secret, add a value field with your new value.
  1. 1.
    In Release, edit the environment variables:
    1. 1.
      To edit application-specific secrets that apply as defaults to all new environments, navigate to the App Settings page. Click the Edit button in the “Default Environment Variables” section.
    2. 2.
      To edit environment-specific secrets, navigate to the environment's Settings page. Click the Edit button in the “Environment Variables” section.
  2. 2.
    Add a value field to the environment variable's declaration.
  3. 3.
    Add the new secret value to the value field.
  4. 4.
    Click Save as new version to save your changes.
Editing a secret environment variable
Release will now encrypt and save the updated secret in the vault.

How to apply updated secrets to an environment in Release

If you are editing an environment-specific secret, a further step is required before applying your new configuration.
Before Release compares a new configuration to the previous version, secrets are removed from the YAML files. This means that from Release's point of view it may look like nothing has changed, even though the secret value saved in the vault has changed.
To make sure Release knows you've changed a secret, add or change any non-secret environment variable. For example, add a new environment variable with key SECRET_CHANGED and increase its value by 1 every time you change a secret.
Once you're done editing your environment-specific environment variables, click the Apply button in the “Apply Latest Configuration” section.
Release will now re-deploy this environment with updated environment variables.

How to manage secrets when using GitOps

If your Release account has GitOps enabled, you can edit environment variables by checking a .release/environment_variables.yaml file into your repository.
Even when using GitOps, you still have the option to manage secrets using the Release YAML editor.
When GitOps triggers a new deployment, and a secret's value in your .release/environment_variables.yaml file is not left blank, this value will replace any value you may have previously set for this secret in Release's YAML editor.
To avoid confusion, it is recommended that you choose only one of the following options for managing secrets in your GitOps-enabled environments:
If you follow best practices and prefer not to commit secrets in Git, leave the value field blank for secret environment variables in your .release/environment_variables.yaml file:
# .release/environment_variables.yaml abridged
# Note DB_PASSWORD value is left blank
# Add a value to DB_PASSWORD in Release environment
services:
web:
- key: DB_PASSWORD
value:
secret: true
- key: DB_USERNAME
value: this-is-not-a-secret
You can then edit secrets by following the steps under How to edit secret environment variables in Release above.
If you choose to manage secrets in your repository, set the value field for secrets in your .release/environment_variables.yaml file:
# .release/environment_variables.yaml abridged
# Note DB_PASSWORD value is saved in this file
services:
web:
- key: DB_PASSWORD
value: this-secret-set-via-source
secret: true
- key: DB_USERNAME
value: this-is-not-a-secret
A secret's value will still always remain hidden in Release's YAML editor, even if managed via source.
GitOps secret hidden

How to access secrets from your app

Secret environment variables can be accessed just as you would access any other environment variable.
For example, access a secret environment variable from Python with os.environ:
import os
password = os.environ.get('DB_PASSWORD')
To view secret environment variables in the terminal for debugging, open a terminal for a running instance, and print the secret value using echo $DB_PASSWORD.