Secrets and Fly Apps
Secrets allow sensitive values, such as credentials, to be passed securely to your Fly App. The secret is encrypted and stored in a vault. An app’s secrets are available as environment variables on every Machine belonging to that Fly App, whether the Machine is part of Fly Launch (deployed with
fly deploy) or not.
Specify secrets for your Fly App using the
fly secrets command.
Secrets are stored in an encrypted vault. When you set a secret through flyctl, it sends the secret value through our API, which writes to the vault for your specific Fly App. The API servers can only encrypt; they cannot decrypt secret values. Secret values are never logged.
When we launch a Machine for your app, we issue a temporary auth token to the host it runs on. The Fly.io agent on the host uses this token to decrypt your app secrets and inject them into your Machine as environment variables at boot time. When you destroy your Machines, the host environment no longer has access to your app secrets.
flyctl and our API servers are designed to prevent user secrets from being extracted. However, secrets are available to your application code as environment variables. People with deploy access can deploy code that reads secret values and prints them to logs, or writes them to unencrypted data stores.
fly secrets set command sets one or more app secrets, then updates each Machine belonging to that Fly App. This involves a restart of the Machine and a consequent reset of its ephemeral file system.
The following example sets a secret that’s available as the
DATABASE_URL environment variable within your application processes:
fly secrets set DATABASE_URL=postgres://example.com/mydb
To set, or update, a secret in the app’s vault, but defer updating the Machines to later, use the
--stage option. For example:
fly secrets set DATABASE_URL=postgres://example.com/mydb --stage
In the preceding example, the staged secret will be available only on Machines that are started or updated after the
fly secrets set command was run.
secrets command can also take secrets from STDIN. For commands and options, see the
fly secrets docs or run
fly secrets --help.
Note: You can update a machine by triggering a new release with
fly deploy. Alternatively, the
fly secrets deploy command will redeploy the current release with the staged secrets. This is helpful if you want to skip rebuilding the image from source code.
List secrets that are set for your app. The list shows only the secret name; the value is not shown as it is a secret.
fly secrets list
NAME | DIGEST | DATE +--------------+----------------------------------+---------+ MY_SECRET | b9e37b7b239ee4aefc75352fe3fa6dc6 | 17s ago DATABASE_URL | cdbe3268a82bfe993921b9cae2a526af | 17s ago
For security reasons, we do not allow read access to the plain-text values of secrets.
Remove one or more secret values from your app by name.
The following example removes two secrets from the app:
fly secrets unset MY_SECRET DATABASE_URL