Secrets
If your projects and applications rely on sensitive data like credentials, API keys, certificates, the best way to store them is Secrets. The difference between Environment Variables and Secrets is that Secrets are safely encrypted, and their values can not be retrieved via Qovery API - they are only accessible for your application during build and runtime.
Create a Secret
Navigate to Console
Select your project, environment and application
Select
Environment Variables
tab in the left panel:Switch to
Secret Variables
and clickCreate
button:Select the name and value of your new secret
Scopes
Delete a Secret
Navigate to Console
Select your project, environment and application
Select
Environment Variables
tab in the left panel:Switch to
Secret Variables
Select variable you want to delete and click the
Remove
button:
Update a Secret
Navigate to Console
Select your project, environment and application
Select
Environment Variables
tab in the left panel:Switch to
Secret Variables
Select variable you want to update and click the
Edit
button:Update the variable in the popup window:
Override Secret
If you want to override a value of an secret, follow those steps:
Navigate to Console
Select your project, environment and application
Select
Environment Variables
tab in the left panel:Switch to
Secret Variables
Select variable you want to override and click the
Override
button:Override the variable in the popup window:
Alias Secret
You can create an alias for the existing secret.
Let's suppose that your application requires a DATABASE_URL
variable. Qovery provides your application with the QOVERY_DATABASE_MY_POSTGRESQL_3498225_URL
variable with a database password.
Instead of copy-pasting its value, you can create an alias to QOVERY_DATABASE_MY_POSTGRESQL_3498225_URL
.
Navigate to Console
Select your project, environment and application
Select
Environment Variables
tab in the left panel:Switch to
Secret Variables
Select variable you want to alias and click the
Alias
button:Alias the variable in the popup window:
Levels
There are four levels of Secrets. Each type differs in scope - you can create variables bound to application, environment, or project.
Scope | Level | Description |
---|---|---|
BUILT_IN | 1 | Automatically generated variables based on your configuration (e.g., requested databases) propagated to all projects, environments, and applications |
PROJECT | 2 | Variables at the project level are shared across all environments and all applications of the project |
ENVIRONMENT | 3 | Variables at the environment level are shared across all applications of the project in one, given environment |
APPLICATION | 4 | Variables available for one application in one environment |
Built-in variables
By default, every environment contains built-in variables:
Name | Example | Description |
---|---|---|
QOVERY_BRANCH_NAME | master | Git branch name |
QOVERY_IS_PRODUCTION | true | Flag that indicates production environment |
Additional built-in variables
For any added service (database, broker, storage), your application receives additional built-in variables. These can be used, for example, to connect to the database.
Naming Convention:
We use the following naming convention for additional built-in variables:
QOVERY_<SERVICE_TYPE>_<NAME>_<SPEC>
Additional Rules
- Secret keys should use only alphanumeric characters and the underscore character (_) to ensure that they are accessible from all programming languages. Secret keys should not include the hyphen character.
- Secret keys should not begin with a double underscore (__).
- A Secret’s key should not begin with QOVERY_ unless it is set by the Qovery platform itself.