Represents a secure configuration value used for sensitive application data such as API keys, database passwords, and authentication tokens. Secrets can be defined at either the stack level or inherited from the account level.
keystringThe secret key name used to reference this secret in configurations and applications.
valuestringThe encrypted secret value as stored in the system. This is the encrypted form for security purposes.
raw_valuestringThe decrypted secret value. Handle with extreme care as this contains the actual sensitive data.
inheritedbooleanWhether this secret is inherited from the account level (true) or defined at the stack level (false).
created_at_isostringISO 8601 formatted timestamp when the secret was created.
updated_at_isostringISO 8601 formatted timestamp when the secret was last updated.
Secret Inheritance
Secrets can be configured at two levels:
Account-Level Secrets
- Global scope - Available to all stacks within the account
- Centralized management - Manage common secrets in one place
- Inherited flag - Marked with
inherited: true - Examples - Third-party API keys, organization-wide credentials
Stack-Level Secrets
- Stack-specific - Only available to the specific stack
- Local overrides - Can override inherited secrets with stack-specific values
- Inherited flag - Marked with
inherited: false - Examples - Database credentials, environment-specific tokens
Security Considerations
The raw_value field contains the actual decrypted secret value. Exercise extreme caution when accessing this field and ensure proper access controls and audit logging are in place.
Encryption
- At rest - All secret values are encrypted when stored
- In transit - Secrets are transmitted over encrypted connections
- Access control - Limited to authorized users and applications
- Audit logging - Secret access and modifications are logged
Use Cases
- Database credentials - Connection strings and passwords
- API authentication - Third-party service API keys and tokens
- Certificate keys - Private keys for SSL/TLS certificates
- Encryption keys - Application-level encryption keys
- Service credentials - Authentication for external services
Best Practices
- Minimal permissions - Grant access only to users and applications that need it
- Regular rotation - Regularly update secret values, especially for critical systems
- Environment separation - Use different secrets for development, staging, and production
- Secret scanning - Monitor for accidental secret exposure in code or logs
Example
{
"key": "DATABASE_PASSWORD",
"value": "encrypted:AES256:base64encodedencryptedvalue==",
"raw_value": "mySecretPassword123!",
"inherited": false,
"created_at_iso": "2024-01-15T10:30:00Z",
"updated_at_iso": "2024-02-10T14:25:00Z"
}