Search…
Secrets
Importing secrets from external secrets managers

Introduction

Environment variables may be imported from the AWS Secrets Manager, AWS Systems Manager Parameter Store, and GCP's Secret Manager by using the format of $secrets.<provider abbreviation>.<secret_name>for the value. The key and secret will follow the same variable schema as any other secret environment variable:
key:
type: String
description: Env variable name
required: true
value:
type: String
description: Representation of the value to be fetched. $secrets.<provider_abbreviation>.<secret_name> format. If secret is true, and this field is omitted, will use previously saved value.
required: true (but hidden if secret)
secret:
type: Boolean
description: Value is secret and should be encrypted and not visible in the UI when viewing
required: false, but required for secrets manager imports
The abbreviations for the provider are as follows:
Provider
Provider Abbreviation
AWS Secrets Manager
aws
AWS Systems Manager Parameter Store
ssm
GCP Secret Manager
gcp
Contact us if you are a govcloud user to enable beta access.

Creating Secrets

Rather than formatting the value manually, you can copy the value from the Secrets page.
Select a Cloud Integration from the Secrets section
First, navigate to Settings -> Secrets. Select a cloud integration from the dropdown to view the secret names and identifiers for that cloud integration.
Next, click the copy icon to copy the formatted value.
Click the copy icon to get the formatted value

Update Configuration

Finally, navigate back to the Settings page. Paste the formatted value in the Environment Variables following the schema requirements. Make sure to set secret to true and choose a unique key value.
- key: TEST_SSM
value: $secrets.ssm.test
secret: true
- key: TEST_AWS
value: $secrets.aws.test
secret: true
- key: TEST_GCP
value: $secrets.gcp.test
secret: true
The actual values of the secrets will be fetched and encoded before they are saved.
Caution: To reset the fetched value you must re-deploy. An updated value in an external secret manager will not update the stored encoded value.
Copy link
On this page