Secret vaults
Importing secrets from external secrets managers
Environment variables may be imported from Release Secrets Manager, AWS Secrets Manager, AWS Systems Manager Parameter Store (SSM), and GCP's Secret Manager by using the format of
$secrets.<provider abbreviation>.<secret_name>for the value. The key and secret will follow the same variable schema as any other secret environment variable:key:
type: String
description: Env variable name
required: true
value:
type: String
description: Representation of the value to be fetched. $secrets.<provider_abbreviation>.<secret_name> format. If secret is true, and this field is omitted, will use previously saved value.
required: true (but hidden if secret)
secret:
type: Boolean
description: Value is secret and should be encrypted and not visible in the UI when viewing
required: false, but required for secrets manager imports
The abbreviations for the provider are as follows:
Provider | Provider Abbreviation |
|---|---|
Release Secrets Manager | rsm |
AWS Secrets Manager | aws |
AWS Systems Manager Parameter Store | ssm |
GCP Secret Manager | gcp |
Contact us if you are a govcloud user to enable beta access.
Navigate to the Settings page (this also works anywhere a value is referenced in the Release UI). Paste the formatted value in the Environment Variables following the schema requirements. Make sure to set secret to true and choose a unique key value.
- key: TEST_SSM
value: $secrets.ssm.test
secret: true
- key: TEST_AWS
value: $secrets.aws.test
secret: true
- key: TEST_GCP
value: $secrets.gcp.test
secret: true
- key: TEST_RELEASE
value: $secrets.rsm.test
secret: true
The actual values of the secrets will be fetched and encoded before they are applied.
Caution: To reset the fetched value you must re-deploy. An updated value in an external secret manager will not update the stored encoded value.
Rather than formatting the value manually, you can copy the value from the Secrets page.
Select a Secret Provider from the Secrets section
First, navigate to Settings -> Secrets. Select a secret provider from the dropdown. Additional dropdowns for Cloud Integration and region will appear if necessary. Only Cloud Integrations with running Clusters will be displayed in the dropdown for GCP and AWS/SSM.
Next, click the copy icon to copy the formatted value.
Click the copy icon to get the formatted value
Navigate to Settings -> Secrets. Select the Release logo from the dropdown menu. Click + Create Secret.
Click the Create Secret button
Fill out the key and value then click Create Secret.
Navigate to Settings -> Secrets. Select the AWS logo from the dropdown menu. Additional dropdown menus for Cloud Integration and region will appear if necessary. Click + Create AWS Secret.
Two buttons appear if AWS Secrets and SSM Parameters are available for your account.
Fill out the Key/Name, Value, and Description fields. Click Create Secret. A success or error message will appear. Any parameter created here will have the tag {"created_by" : "release"}.
Navigate to Settings -> Secrets. Select the AWS logo from the dropdown menu. Additional dropdown menus for Cloud Integration and region will appear if necessary. Click + Create SSM Parameter. Fill out the Key/Name and Value fields. Select a type from String, StringList, or SecureString.
Click Create Secret. A success or error message will appear. Any parameter created here will have the tag {"created_by" : "release"}.
Navigate to Settings -> Secrets. Select the GCP logo from the first dropdown menu. Click + Create Secret.
Fill out the Key/Name and Value fields. Click Create Secret. A success or failure message will appear. Note that any secret created will have the label {"created_by" : "release"}.
Last modified 3mo ago