Secrets and Fly Apps
Secrets allow sensitive values, such as credentials, to be passed securely to your Fly App. The secret is encrypted and stored in a vault. An app’s secrets are available as environment variables on every Machine belonging to that Fly App, whether the Machine is part of Fly Launch (deployed with fly deploy
) or not.
Specify secrets for your Fly App using the fly secrets
command.
Architecture
Secrets are stored in an encrypted vault. When you set a secret through flyctl, it sends the secret value through our API, which writes to the vault for your specific Fly App. The API servers can only encrypt; they cannot decrypt secret values. Secret values are never logged.
When we launch a Machine for your app, we issue a temporary auth token to the host it runs on. The Fly.io agent on the host uses this token to decrypt your app secrets and inject them into your Machine as environment variables at boot time. When you destroy your Machines, the host environment no longer has access to your app secrets.
flyctl
and our API servers are designed to prevent user secrets from being extracted. However, secrets are available to your application code as environment variables. People with deploy access can deploy code that reads secret values and prints them to logs, or writes them to unencrypted data stores.
Setting secrets
The fly secrets set
command sets one or more app secrets, then updates each Machine belonging to that Fly App. This involves a restart of the Machine and a consequent reset of its ephemeral file system.
fly secrets set DATABASE_URL=postgres://example.com/mydb
In the above example, the secret is avaliable as the DATABASE_URL
environment variable within your application processes.
To set, or update, a secret in the app’s vault, but defer updating the Machines to later, use the --stage
option:
fly secrets set DATABASE_URL=postgres://example.com/mydb --stage
In this case, the new secret value will be available only on Machines that are started or updated after the fly secrets set
command was run.
Removing secrets
The fly secrets unset
command clears one or more secret values.
fly secrets unset MY_SECRET DATABASE_URL
Listing secrets
fly secrets list
NAME | DIGEST | DATE
+--------------+----------------------------------+---------+
MY_SECRET | b9e37b7b239ee4aefc75352fe3fa6dc6 | 17s ago
DATABASE_URL | cdbe3268a82bfe993921b9cae2a526af | 17s ago
For security reasons, we do not allow read access to the plain-text values of secrets.