Secrets and Fly Apps

Secrets allow sensitive values, such as credentials, to be passed securely to your Fly App. The secret is encrypted and stored in a vault. An app’s secrets are available as environment variables on every Machine belonging to that Fly App, whether the Machine is part of Fly Launch (deployed with fly deploy) or not.

Specify secrets for your Fly App using the fly secrets command.

Architecture

Secrets are stored in an encrypted vault. When you set a secret through flyctl, it sends the secret value through our API, which writes to the vault for your specific Fly App. The API servers can only encrypt; they cannot decrypt secret values. Secret values are never logged.

When we launch a Machine for your app, we issue a temporary auth token to the host it runs on. The Fly.io agent on the host uses this token to decrypt your app secrets and inject them into your Machine as environment variables at boot time. When you destroy your Machines, the host environment no longer has access to your app secrets.

flyctl and our API servers are designed to prevent user secrets from being extracted. However, secrets are available to your application code as environment variables. People with deploy access can deploy code that reads secret values and prints them to logs, or writes them to unencrypted data stores.

Setting secrets

The fly secrets set command sets one or more app secrets, then updates each Machine belonging to that Fly App. This involves a restart of the Machine and a consequent reset of its ephemeral file system.

fly secrets set DATABASE_URL=postgres://example.com/mydb

In the above example, the secret is avaliable as the DATABASE_URL environment variable within your application processes.

To set, or update, a secret in the app’s vault, but defer updating the Machines to later, use the --stage option:

fly secrets set DATABASE_URL=postgres://example.com/mydb --stage

In this case, the new secret value will be available only on Machines that are started or updated after the fly secrets set command was run.

Removing secrets

The fly secrets unset command clears one or more secret values.

fly secrets unset MY_SECRET DATABASE_URL

Listing secrets

fly secrets list

      NAME     |              DIGEST              |  DATE
+--------------+----------------------------------+---------+
  MY_SECRET    | b9e37b7b239ee4aefc75352fe3fa6dc6 | 17s ago
  DATABASE_URL | cdbe3268a82bfe993921b9cae2a526af | 17s ago

For security reasons, we do not allow read access to the plain-text values of secrets.