Secrets vaults

Importing secrets from external secrets managers

You can import environment variables from Release Secrets Manager, AWS Secrets Manager, AWS Systems Manager Parameter Store (SSM), and GCP Secret Manager using the format $secrets.<provider abbreviation>.<secret_name> for the value. The key and secret will follow the same variable schema as any other secret environment variable:

key:
  type: String
  description: Env variable name
  required: true
value:
  type: String
  description: Representation of the value to be fetched. $secrets.<provider_abbreviation>.<secret_name> format. If secret is true, and this field is omitted, will use previously saved value.
  required: true (but hidden if secret)
secret:
  type: Boolean
  description: Value is secret and should be encrypted and not visible in the UI when viewing
  required: false, but required for secrets manager imports

Here are the provider abbreviations:

Provider	Provider Abbreviation
Release Secrets Manager	rsm
AWS Secrets Manager	aws
AWS Systems Manager Parameter Store	ssm
GCP Secret Manager	gcp

Provider

Provider Abbreviation

Release Secrets Manager

rsm

AWS Secrets Manager

aws

AWS Systems Manager Parameter Store

ssm

GCP Secret Manager

gcp

If you are an AWS GovCloud user, contact us to enable beta access.

Referencing cloud secrets

Navigate to the Settings page and click the Edit button to modify the "Environment Variables" file. Paste the formatted value into the "Environment Variables" file, following the schema requirements. Ensure you set secret to true and choose a unique key value.

- key: TEST_SSM
  value: $secrets.ssm.test
  secret: true
- key: TEST_AWS
  value: $secrets.aws.test
  secret: true
- key: TEST_GCP
  value: $secrets.gcp.test
  secret: true
- key: TEST_RELEASE
  value: $secrets.rsm.test
  secret: true

Release will fetch and encode the values of the secrets before applying them.

Caution: To reset the fetched value, you must redeploy. An updated value in an external secrets manager will not update the stored encoded value.

Copying referenced secrets

Rather than formatting the value manually, you can copy the value from the Secrets page.

Navigate to Settings -> Secrets. Select a secrets provider from the dropdown. Additional dropdowns for cloud integration and region will appear if relevant. Only cloud integrations with running clusters will be displayed in the dropdown for GCP, AWS, and SSM.

Click the copy icon to copy the formatted value.

Creating Release secrets

Navigate to Settings -> Secrets. Select the Release logo from the dropdown menu. Click + Create Secret.

Fill out the key and value, then click Create Secret.

Creating AWS secrets

Navigate to Settings -> Secrets. Select the AWS logo from the dropdown menu. Additional dropdown menus for cloud integration and region will appear if relevant. Click + Create AWS Secret.

Fill out the Key/Name, Value, and Description fields. Click Create Secret. A success or error message will appear. Any parameter created here will have the tag {"created\_by" : "release"}.

Creating AWS Systems Manager Parameter Store parameters

Navigate to Settings -> Secrets. Select the AWS logo from the dropdown menu. Additional dropdown menus for cloud integration and region will appear if relevant. Click + Create SSM Parameter. Fill out the Key/Name and Value fields. Select a type from String, StringList, or SecureString.

Click Create Secret. A success or error message will appear. Any parameter created here will have the tag {"created\_by" : "release"}.

Creating GCP secrets

Navigate to Settings -> Secrets. Select the GCP logo from the first dropdown menu. Click + Create Secret.

Fill out the Key/Name and Value fields. Click Create Secret. A success or failure message will appear. Note that any secret created will have the label {"created\_by" : "release"}.

PreviousEnvironment variable mappings NextUsing Secrets with GitOps

Last updated 5 months ago