Table of contents
- Secure storage
- Managing secrets
- Accessing secrets from code
Fly apps include an encrypted secrets store for application configuration, credentials, etc.
We store all application secrets in Hashicorp Vault. Each application gets its own Vault policy, so one application cannot access secrets from another application.
The Fly API application can write secrets to vault using application policies. It cannot read vault secrets, however, once they're written they can only be retrieved by the application at runtime.
When an application process starts, we provide its current secret set as a list of environment variables.
The Fly CLI has commands for managing secrets, run
flyctl secrets to see the CLI docs.
flyctl secrets set
flyctl secrets set to set one or more secrets on an application. This command sends key/value pairs through our API, which stores them in an encrypted vault that only your application has access to.
flyctl secrets set MY_KEY=asdf YOUR_KEY=jklm
VERSION REASON DESCRIPTION USER DATE v1 Secrets updated firstname.lastname@example.org 0s ago
Once the secret is set, you can't retrieve it through the CLI or API, they're encrypted in such a way that only your application process can decrypt them.
If you've already deployed your app, setting secrets restarts any running process to ensure they're using the most current secret values.
flyctl secrets list
list command to see what secrets are attached to an application, along with a digest of their values.
flyctl secrets list
NAME DIGEST DATE MY_KEY 912ec803b2ce49e4a541068d495ab570 10s ago YOUR_KEY 9f1ff160c43185d5ecf784f371570801 9s ago
flyctl secrets unset
Unsetting secrets is simple, just run
flyctl secrets unset MY_KEY YOUR_KEY.
VERSION REASON DESCRIPTION USER DATE v2 Secrets updated email@example.com 1s ago
If you've already deployed your app, unsetting secrets restarts any running process to ensure they're using the most current secret values.
Accessing secrets from code
Secrets are supplied to your application code as environment variables. Secret names are uppercased, so setting
MY_SECRET are equivalent and result in an environment variable named