Secrets

If your projects and applications rely on sensitive data like credentials, API keys, certificates, the best way to store them is Secrets. The difference between Environment Variables and Secrets is that Secrets are safely encrypted, and their values can not be retrieved via Qovery API - they are only accessible for your application during build and runtime.

Create a Secret

  1. Navigate to Console

  2. Select your project, environment and application

  3. Select Environment Variables tab in the left panel:

    Secret


    Switch to Secret Variables and click Create button:

    Secret

  4. Select the name and value of your new secret

    Variables

    Scopes

Delete a Secret

  1. Navigate to Console

  2. Select your project, environment and application

  3. Select Environment Variables tab in the left panel:

    Secret


    Switch to Secret Variables

    Secret

  4. Select variable you want to delete and click the Remove button:

    Delete Variables

Update a Secret

  1. Navigate to Console

  2. Select your project, environment and application

  3. Select Environment Variables tab in the left panel:

    Secret


    Switch to Secret Variables

    Secret

  4. Select variable you want to update and click the Edit button:

    Update Variables

  5. Update the variable in the popup window:

    Update Variables

Override Secret

If you want to override a value of an secret, follow those steps:

  1. Navigate to Console

  2. Select your project, environment and application

  3. Select Environment Variables tab in the left panel:

    Secret


    Switch to Secret Variables

    Secret

  4. Select variable you want to override and click the Override button:

    Override Variables

  5. Override the variable in the popup window:

    Override Variables

Alias Secret

You can create an alias for the existing secret.

Let's suppose that your application requires a DATABASE_URL variable. Qovery provides your application with the QOVERY_DATABASE_MY_POSTGRESQL_3498225_URL variable with a database password. Instead of copy-pasting its value, you can create an alias to QOVERY_DATABASE_MY_POSTGRESQL_3498225_URL.

  1. Navigate to Console

  2. Select your project, environment and application

  3. Select Environment Variables tab in the left panel:

    Secret


    Switch to Secret Variables

    Secret

  4. Select variable you want to alias and click the Alias button:

    ALias Variables

  5. Alias the variable in the popup window:

    Alias Variables

Levels

There are four levels of Secrets. Each type differs in scope - you can create variables bound to application, environment, or project.

ScopeLevelDescription
BUILT_IN1Automatically generated variables based on your configuration (e.g., requested databases) propagated to all projects, environments, and applications
PROJECT2Variables at the project level are shared across all environments and all applications of the project
ENVIRONMENT3Variables at the environment level are shared across all applications of the project in one, given environment
APPLICATION4Variables available for one application in one environment

Built-in variables

By default, every environment contains built-in variables:

NameExampleDescription
QOVERY_BRANCH_NAMEmasterGit branch name
QOVERY_IS_PRODUCTIONtrueFlag that indicates production environment

Additional built-in variables

For any added service (database, broker, storage), your application receives additional built-in variables. These can be used, for example, to connect to the database.

Naming Convention:

We use the following naming convention for additional built-in variables:

QOVERY_<SERVICE_TYPE>_<NAME>_<SPEC>

Additional Rules

  • Secret keys should use only alphanumeric characters and the underscore character (_) to ensure that they are accessible from all programming languages. Secret keys should not include the hyphen character.
  • Secret keys should not begin with a double underscore (__).
  • A Secret’s key should not begin with QOVERY_ unless it is set by the Qovery platform itself.