Secrets

If your projects and applications rely on sensitive data like credentials, API keys, certificates, the best way to store them is Secrets. The difference between Environment Variables and Secrets is that Secrets are safely encrypted, and their values can not be retrieved via Qovery API - they are only accessible for your application during build and runtime.

Qovery makes Secrets available to all services at runtime, as well as during builds and deploys.

Create a Secret

1. Navigate to Console

2. Select your project, environment and application

3. Select Environment Variables tab in the left panel:

   

   ---

   Switch to Secret Variables and click Create button:

   

4. Select the name and value of your new secret

   

   Scopes

   Qovery provides three scopes of secrets:

   • Project
   • Environment
   • Application

   
   

   Additionally, there is one more BUILT_IN scope that is used for variables injected automatically by Qovery.

   Project secrets are visible in the whole project.

   Environment secrets are visible for all apps inside one environment.

   Application secrets are visible only in one application.

   BUILT_IN variables are automatically injected to selected applications by Qovery.

   Read more in Levels section

How was it? Did this tutorial work?  Yes  No

Delete a Secret

1. Navigate to Console

2. Select your project, environment and application

3. Select Environment Variables tab in the left panel:

   

   ---

   Switch to Secret Variables

   

4. Select variable you want to delete and click the Remove button:

   

How was it? Did this tutorial work?  Yes  No

Update a Secret

1. Navigate to Console

2. Select your project, environment and application

3. Select Environment Variables tab in the left panel:

   

   ---

   Switch to Secret Variables

   

4. Select variable you want to update and click the Edit button:

   

5. Update the variable in the popup window:

   

How was it? Did this tutorial work?  Yes  No

Override Secret

If you want to override a value of an secret, follow those steps:

1. Navigate to Console

2. Select your project, environment and application

3. Select Environment Variables tab in the left panel:

   

   ---

   Switch to Secret Variables

   

4. Select variable you want to override and click the Override button:

   

5. Override the variable in the popup window:

   

How was it? Did this tutorial work?  Yes  No

You can only override secrets of a higher scope, e.g. Environment scope variable can override Project variable, but can't override Application variable.

Alias Secret

You can create an alias for the existing secret.

Let's suppose that your application requires a DATABASE_URL variable. Qovery provides your application with the QOVERY_DATABASE_MY_POSTGRESQL_3498225_URL variable with a database password. Instead of copy-pasting its value, you can create an alias to QOVERY_DATABASE_MY_POSTGRESQL_3498225_URL.

1. Navigate to Console

2. Select your project, environment and application

3. Select Environment Variables tab in the left panel:

   

   ---

   Switch to Secret Variables

   

4. Select variable you want to alias and click the Alias button:

   

5. Alias the variable in the popup window:

   

How was it? Did this tutorial work?  Yes  No

Levels

There are four levels of Secrets. Each type differs in scope - you can create variables bound to application, environment, or project.

Scope	Level	Description
BUILT_IN	1	Automatically generated variables based on your configuration (e.g., requested databases) propagated to all projects, environments, and applications
PROJECT	2	Variables at the project level are shared across all environments and all applications of the project
ENVIRONMENT	3	Variables at the environment level are shared across all applications of the project in one, given environment
APPLICATION	4	Variables available for one application in one environment

Built-in variables

By default, every environment contains built-in variables:

Name	Example	Description
QOVERY_BRANCH_NAME	master	Git branch name
QOVERY_IS_PRODUCTION	true	Flag that indicates production environment

Additional built-in variables

For any added service (database, broker, storage), your application receives additional built-in variables. These can be used, for example, to connect to the database.

Naming Convention:

We use the following naming convention for additional built-in variables:

QOVERY_<SERVICE_TYPE>_<NAME>_<SPEC>

Additional Rules

• Secret keys should use only alphanumeric characters and the underscore character (_) to ensure that they are accessible from all programming languages. Secret keys should not include the hyphen character.
• Secret keys should not begin with a double underscore (__).
• A Secret’s key should not begin with QOVERY_ unless it is set by the Qovery platform itself.