LogoLogo
  • Welcome to Release
  • Getting started
    • Quickstart
    • Create an account
    • Prepare to use Release
    • Create an application
      • Create custom application
      • Create from template
      • Servers vs runnables
    • Create an environment
  • Guides and examples
    • Domains and DNS
      • Manage domains
      • DNS and nameservers
        • Configure GoDaddy
        • Configure Cloudflare
        • Configure Namecheap
        • Other DNS hosts
      • Routing traffic
    • Example applications
      • Full stack voting app
      • Flask and RDS counter app
      • Static site with Gatsby
      • Golang with Postgres and Nginx
      • WordPress with MySQL
      • Spring and PostgreSQL
      • Terraform and Flask
      • OpenTelemetry demo
      • Load balancer with hostname
      • Static JavaScript service
      • SSH bastion access to services
      • ngrok and OAuth for private tunnels
      • Using OAuth Proxy
      • Hybrid Docker and static site
      • App Imports: Connecting two applications
      • Example library
    • Running instances
      • Cron jobs
      • Jobs
      • Using Helm charts
      • Using terminal
      • Viewing logs
      • Troubleshooting
        • ImagePullBackoff error
        • CrashLoopBackoff error
        • Exit codes
        • OOM: out of memory
    • Advanced guides
      • Containers guide
      • Application guide
      • Kubernetes guide
      • Create a cluster
      • Upgrade a cluster
      • Managing node groups
      • Patch node groups
      • Hostnames and rules
      • Serve traffic on multiple ports
      • Configure access to your K8s cluster
      • Designing for multiple environments
      • Microservices architecture
      • Monitoring your clusters
      • Performance tuning
      • Visibility and monitoring
      • Working with data
        • Container-based data
        • Seeding and migration
        • Cloud-provided data
        • Golden images
        • Third party
      • Pausing Instant Datasets
        • Application pausing schedules
        • Pause/resume environments
      • Infrastructure as code
        • Terraform
  • Reference documentation
    • Account settings
      • Account info
      • Managing users
      • Build settings
        • Build arguments
        • Build SSH keys
      • Add integrations
      • View clusters and cloud integrations
      • Add datasets
      • Environment handles
    • Workflows in Release
      • Stages of workflows
      • Serial deployments
      • Parallel deployments
      • Rolling deployments
      • Rainbow deployments
    • Networking
      • Network architecture (AWS)
      • Network architecture (GCP)
      • Ingresses
      • IP addresses
      • Cloud-provided services
      • Third-party services
    • Release environment versioning
    • Application settings
      • Application Template
        • Schema definition
      • Default environment variables
      • GitHub
      • Pull requests
      • GitOps
      • Just-in-time file mounts
      • Primary App Link
      • Create application FAQ
      • App-level build arguments
      • Parameters
      • Workspaces
    • End-to-end testing
    • Environment settings
      • Environment configuration
      • Environment variables
        • Environment variable mappings
        • Secrets vaults
        • Using Secrets with GitOps
        • Kubernetes Secrets as environment variables
        • Managing legacy Release Secrets
    • Environment expiration
    • Environment presets
    • Instant datasets on AWS
    • Instant datasets on GCP
    • Instant dataset tasks
      • Tonic Cloud
      • Tonic On-Premise
    • Cloud resources
    • Static service deployment
    • Helm
      • Getting started
      • Version-controlled Helm charts
      • Open-source charts
      • Building Docker images
      • Ingress and networking
      • Configuration
    • GitOps
    • The .release.yaml file
    • Docker Compose conversion support
    • Reference examples
      • Adding and removing services
      • Managing service resources
      • Adding database containers to the Application Template
      • Stock Off-The-Shelf Examples
    • Release API
      • Account Authentication
      • Environments API
        • Create
        • Get
        • Setup
        • Patch
      • User Authentication
      • Environment Presets API
        • Get Environment Preset List
        • Get Environment Preset
        • Put Environment Preset
  • Background concepts
    • How Release works
  • Frequently asked questions
    • Release FAQ
    • AWS FAQ
    • Docker FAQ
    • JavaScript FAQ
  • Integrations
    • Integrations overview
      • Artifactory integration
      • Cloud integrations (AWS)
        • AWS guides
        • Grant access to AWS resources
        • AWS how to increase EIP quota
        • Control your EKS fleet with systems manager
        • Managing STS access
        • AWS Permissions Boundaries
        • Private ECR Repositories
        • Using an Existing AWS VPC
        • Using an Existing EKS Cluster
      • Docker Hub integration
      • LaunchDarkly integration
      • Private registries
      • Slack integration
      • Cloud integrations (GCP)
        • GCP Permissions Boundary
      • Datadog Agent
      • Doppler Secrets Manager
      • AWS Secrets Management
    • Source control integrations
      • GitHub
        • Pull request comments
        • Pull request labels
        • GitHub deployments
        • GitHub statuses
        • Remove GitHub integration
      • Bitbucket
      • GitLab
    • Monitoring and logging add-ons
      • Datadog
      • New Relic
      • ELK (Elasticsearch, Logstash, and Kibana)
  • Release Delivery
    • Create new customer integration
    • Delivery guide
    • Release to customer account access controls
    • Delivery FAQs
  • Release Instant Datasets
    • Introduction
    • Quickstart
    • Security
      • AWS Instant Dataset security
    • FAQ
    • API
  • CLI
    • Getting started
    • Installation
    • Configuration
    • CLI usage example
    • Remote development environments
    • Command reference
      • release accounts
        • release accounts list
        • release accounts select
      • release ai
        • release ai chat
        • release ai config-delete
        • release ai config-init
        • release ai config-select
        • release ai config-upsert
      • release apps
        • release apps list
        • release apps select
      • release auth
        • release auth login
        • release auth logout
      • release builds
        • release builds create
      • release clusters
        • release clusters exec
        • release clusters kubeconfig
        • release clusters shell
      • release datasets
        • release datasets list
        • release datasets refresh
      • release deploys
        • release deploys create
        • release deploys list
      • release development
        • release development logs
        • release development start
      • release environments
        • release environments config-get
        • release environments config-set
        • release environments create
        • release environments delete
        • release environments get
        • release environments list
        • release environments vars-get
      • release gitops
        • release gitops init
        • release gitops validate
      • release instances
        • release instances exec
        • release instances logs
        • release instances terminal
  • Release.ai
    • Release.ai Introduction
    • Getting Started
    • Release.ai Templates
    • Template Configuration Basics
    • Using GPU Resources
    • Custom Workflows
    • Fine Tuning LlamaX
    • Serving Inference
Powered by GitBook
On this page
  • How to create secret environment variables in Release
  • How to edit secret environment variables in Release
  • How to apply updated secrets to an environment in Release
  • How to access secrets from your app

Was this helpful?

  1. Reference documentation
  2. Environment settings
  3. Environment variables

Managing legacy Release Secrets

Learn how to create and edit secret environment variables for your Release environments

PreviousKubernetes Secrets as environment variablesNextEnvironment expiration

Last updated 1 year ago

Was this helpful?

This section refers to a legacy implementation of secrets storage in Release. We HIGHLY recommend using the new implementation for secrets. The legacy implementation is kept for backward compatibility or for lightweight "obscured" data that is not highly sensitive. Secrets created in the legacy format are automatically converted to RSM secrets. Please refer to the secret vaults page for up-to-date usage.

Secret environment variables allow your environments to securely access passwords, API keys, and other sensitive information.

Secrets differ from other environment variables in two ways:

  • Secrets are encrypted and saved in a vault.

  • Secrets are always hidden from Release's interface.

Secrets can be created and updated using Release's YAML editor. If you are using GitOps, you can check the keys for your secrets in along with the rest of your environment variables and code, and then define the values using the UI, keeping your secrets separate from your code.

How to create secret environment variables in Release

As with all environment variables, secret environment variables can be added by editing an app's , or by editing an environment's .

  1. In Release, edit the environment variables:

    1. To add application-specific secrets that apply as defaults to all new environments, navigate to the App Settings page. Click the Edit button in the “Default Environment Variables” section.

    2. To add environment-specific secrets, navigate to the environment's Settings page. Click the Edit button in the “Environment Variables” section.

  2. Add secret: true to the environment variable's declaration.

  3. Click Save as new version to save your changes.

Release will now encrypt and save the secret in the vault.

How to edit secret environment variables in Release

Unlike other environment variables, secret values are always hidden in Release's YAML editor.

To edit an existing secret, add a value field with your new value.

  1. In Release, edit the environment variables:

    1. To edit application-specific secrets that apply as defaults to all new environments, navigate to the App Settings page. Click the Edit button in the “Default Environment Variables” section.

    2. To edit environment-specific secrets, navigate to the environment's Settings page. Click the Edit button in the “Environment Variables” section.

  2. Add a value field to the environment variable's declaration.

  3. Add the new secret value to the value field.

  4. Click Save as new version to save your changes.

Release will now encrypt and save the updated secret in the vault.

How to apply updated secrets to an environment in Release

If you are editing an environment-specific secret, a further step is required before applying your new configuration.

Before Release compares a new configuration to the previous version, secrets are removed from the YAML files. This means that from Release's point of view it may look like nothing has changed, even though the secret value saved in the vault has changed.

To make sure Release knows you've changed a secret, add or change any non-secret environment variable. For example, add a new environment variable with key SECRET_CHANGED and increase its value by 1 every time you change a secret.

Once you're done editing your environment-specific environment variables, click the Apply button in the “Apply Latest Configuration” section.

Release will now re-deploy this environment with updated environment variables.

How to access secrets from your app

Secret environment variables can be accessed just as you would access any other environment variable.

For example, access a secret environment variable from Python with os.environ:

import os
password = os.environ.get('DB_PASSWORD')

To view secret environment variables in the for debugging, open a terminal for a running instance, and print the secret value using echo $DB_PASSWORD.

terminal
secret vaults
default environment variables
environment-specific environment variables
Adding a secret environment variable
Editing a secret environment variable