Search
K
Links

Managing legacy Release Secrets

Learn how to create and edit secret environment variables for your Release environments
This section refers to a legacy implementation of secrets storage in Release. We HIGHLY recommend using the new secret vaults implementation for secrets. The legacy implementation is kept for backward compatibility or for lightweight "obscured" data that is not highly sensitive. Secrets created in the legacy format are automatically converted to RSM secrets. Please refer to the secret vaults page for up-to-date usage.
Secret environment variables allow your environments to securely access passwords, API keys, and other sensitive information.
Secrets differ from other environment variables in two ways:
  • Secrets are encrypted and saved in a vault.
  • Secrets are always hidden from Release's interface.
Secrets can be created and updated using Release's YAML editor. If you are using GitOps, you can check the keys for your secrets in along with the rest of your environment variables and code, and then define the values using the UI, keeping your secrets separate from your code.

How to create secret environment variables in Release

As with all environment variables, secret environment variables can be added by editing an app's default environment variables, or by editing an environment's environment-specific environment variables.
  1. 1.
    In Release, edit the environment variables:
    1. 1.
      To add application-specific secrets that apply as defaults to all new environments, navigate to the App Settings page. Click the Edit button in the “Default Environment Variables” section.
    2. 2.
      To add environment-specific secrets, navigate to the environment's Settings page. Click the Edit button in the “Environment Variables” section.
  2. 2.
    Add secret: true to the environment variable's declaration.
  3. 3.
    Click Save as new version to save your changes.
Adding a secret environment variable
Release will now encrypt and save the secret in the vault.

How to edit secret environment variables in Release

Unlike other environment variables, secret values are always hidden in Release's YAML editor.
To edit an existing secret, add a value field with your new value.
  1. 1.
    In Release, edit the environment variables:
    1. 1.
      To edit application-specific secrets that apply as defaults to all new environments, navigate to the App Settings page. Click the Edit button in the “Default Environment Variables” section.
    2. 2.
      To edit environment-specific secrets, navigate to the environment's Settings page. Click the Edit button in the “Environment Variables” section.
  2. 2.
    Add a value field to the environment variable's declaration.
  3. 3.
    Add the new secret value to the value field.
  4. 4.
    Click Save as new version to save your changes.
Editing a secret environment variable
Release will now encrypt and save the updated secret in the vault.

How to apply updated secrets to an environment in Release

If you are editing an environment-specific secret, a further step is required before applying your new configuration.
Before Release compares a new configuration to the previous version, secrets are removed from the YAML files. This means that from Release's point of view it may look like nothing has changed, even though the secret value saved in the vault has changed.
To make sure Release knows you've changed a secret, add or change any non-secret environment variable. For example, add a new environment variable with key SECRET_CHANGED and increase its value by 1 every time you change a secret.
Once you're done editing your environment-specific environment variables, click the Apply button in the “Apply Latest Configuration” section.
Release will now re-deploy this environment with updated environment variables.

How to access secrets from your app

Secret environment variables can be accessed just as you would access any other environment variable.
For example, access a secret environment variable from Python with os.environ:
import os
password = os.environ.get('DB_PASSWORD')
To view secret environment variables in the terminal for debugging, open a terminal for a running instance, and print the secret value using echo $DB_PASSWORD.