Application secrets

Table of contents

Fly apps include an encrypted secrets store for application configuration, credentials, etc.

Secure storage

We store all application secrets in Hashicorp Vault. Each application gets its own Vault policy, so one application cannot access secrets from another application.

Write permissions

The Fly API application can write secrets to vault using application policies. It cannot read vault secrets, however, once they're written they can only be retrieved by the application at runtime.

Read permissions

When an application process starts, we provide its current secret set as a list of environment variables.

Managing secrets

The Fly CLI has commands for managing secrets, run flyctl secrets to see the CLI docs.

flyctl secrets set

Run flyctl secrets set to set one or more secrets on an application. This command sends key/value pairs through our API, which stores them in an encrypted vault that only your application has access to.

Example:

flyctl secrets set MY_KEY=asdf YOUR_KEY=jklm
  VERSION   REASON            DESCRIPTION   USER               DATE    
  v1        Secrets updated                 dev@fly.local      0s ago  

Once the secret is set, you can't retrieve it through the CLI or API, they're encrypted in such a way that only your application process can decrypt them.

If you've already deployed your app, setting secrets restarts any running process to ensure they're using the most current secret values.

flyctl secrets list

Use the list command to see what secrets are attached to an application, along with a digest of their values.

flyctl secrets list
  NAME       DIGEST                             DATE     
  MY_KEY     912ec803b2ce49e4a541068d495ab570   10s ago  
  YOUR_KEY   9f1ff160c43185d5ecf784f371570801   9s ago 

flyctl secrets unset

Unsetting secrets is simple, just run flyctl secrets unset MY_KEY YOUR_KEY.

  VERSION   REASON            DESCRIPTION   USER               DATE    
  v2        Secrets updated                 dev@fly.local      1s ago  

If you've already deployed your app, unsetting secrets restarts any running process to ensure they're using the most current secret values.

Accessing secrets from code

Secrets are supplied to your application code as environment variables. Secret names are uppercased, so setting my_secret, My_Secret, or MY_SECRET are equivalent and result in an environment variable named MY_SECRET.