Search…
⌃K
Links

Managing secrets

Learn how to create and edit secret environment variables for your ReleaseHub environments
Secret environment variables allow your environments to securely access passwords, API keys, and other sensitive information.
Secrets differ from other environment variables in two ways:
  • Secrets are encrypted and saved in a vault.
  • Secrets are always hidden from ReleaseHub's interface.
Secrets can be created and updated using ReleaseHub's YAML editor. If you are using GitOps, you can check the keys for your secrets in along with the rest of your environment variables and code, and then define the values using the UI, keeping your secrets separate from your code.

How to create secret environment variables in ReleaseHub

As with all environment variables, secret environment variables can be added by editing an app's default environment variables, or by editing an environment's environment-specific environment variables.
  1. 1.
    In ReleaseHub, edit the environment variables:
    1. 1.
      To add application-specific secrets that apply as defaults to all new environments, navigate to the App Settings page. Click the Edit button in the “Default Environment Variables” section.
    2. 2.
      To add environment-specific secrets, navigate to the environment's Settings page. Click the Edit button in the “Environment Variables” section.
  2. 2.
    Add secret: true to the environment variable's declaration.
  3. 3.
    Click Save as new version to save your changes.
Adding a secret environment variable
ReleaseHub will now encrypt and save the secret in the vault.

How to edit secret environment variables in ReleaseHub

Unlike other environment variables, secret values are always hidden in ReleaseHub's YAML editor.
To edit an existing secret, add a value field with your new value.
  1. 1.
    In ReleaseHub, edit the environment variables:
    1. 1.
      To edit application-specific secrets that apply as defaults to all new environments, navigate to the App Settings page. Click the Edit button in the “Default Environment Variables” section.
    2. 2.
      To edit environment-specific secrets, navigate to the environment's Settings page. Click the Edit button in the “Environment Variables” section.
  2. 2.
    Add a value field to the environment variable's declaration.
  3. 3.
    Add the new secret value to the value field.
  4. 4.
    Click Save as new version to save your changes.
Editing a secret environment variable
ReleaseHub will now encrypt and save the updated secret in the vault.

How to apply updated secrets to an environment in ReleaseHub

If you are editing an environment-specific secret, a further step is required before applying your new configuration.
Before ReleaseHub compares a new configuration to the previous version, secrets are removed from the YAML files. This means that from ReleaseHub's point of view it may look like nothing has changed, even though the secret value saved in the vault has changed.
To make sure ReleaseHub knows you've changed a secret, add or change any non-secret environment variable. For example, add a new environment variable with key SECRET_CHANGED and increase its value by 1 every time you change a secret.
Once you're done editing your environment-specific environment variables, click the Apply button in the “Apply Latest Configuration” section.
ReleaseHub will now re-deploy this environment with updated environment variables.

How to manage secrets when using GitOps

If your ReleaseHub account has GitOps enabled, you can edit environment variables by checking a .release/environment_variables.yaml file into your repository.
Even when using GitOps, you still have the option to manage secrets using the ReleaseHub YAML editor.
When GitOps triggers a new deployment, and a secret's value in your .release/environment_variables.yaml file is not left blank, this value will replace any value you may have previously set for this secret in ReleaseHub's YAML editor.
To avoid confusion, it is recommended that you choose only one of the following options for managing secrets in your GitOps-enabled environments:
If you follow best practices and prefer not to commit secrets in Git, leave the value field blank for secret environment variables in your .release/environment_variables.yaml file:
# .release/environment_variables.yaml abridged
# Note DB_PASSWORD value is left blank
# Add a value to DB_PASSWORD in ReleaseHub environment
services:
web:
- key: DB_PASSWORD
value:
secret: true
- key: DB_USERNAME
value: this-is-not-a-secret
You can then edit secrets by following the steps under How to edit secret environment variables in ReleaseHub above.
If you choose to manage secrets in your repository, set the value field for secrets in your .release/environment_variables.yaml file:
# .release/environment_variables.yaml abridged
# Note DB_PASSWORD value is saved in this file
services:
web:
- key: DB_PASSWORD
value: this-secret-set-via-source
secret: true
- key: DB_USERNAME
value: this-is-not-a-secret
A secret's value will still always remain hidden in ReleaseHub's YAML editor, even if managed via source.
GitOps secret hidden

How to access secrets from your app

Secret environment variables can be accessed just as you would access any other environment variable.
For example, access a secret environment variable from Python with os.environ:
import os
password = os.environ.get('DB_PASSWORD')
To view secret environment variables in the terminal for debugging, open a terminal for a running instance, and print the secret value using echo $DB_PASSWORD.