Secrets management


One of the challenges of building a containerized architecture is protecting the secrets that are necessary for its successful operation. Unlike in monolithic architectures where credentials are provided from one place, each service must have its own set of credentials for accessing resources that it needs, such as databases and other services. As your architecture scales, so does the complexity of maintaining secrets for every single service.

A “secret” can be any sensitive credential, key, or password that would compromise your application/business security if exposed. Some examples:

  • Database credentials
  • Private keys for signing or identity (e.g., SSH keys or API keys)
  • Private certificates for communication (e.g., PGP, SSL)

The Humanitec platform provides an interface that lets you define secrets for each of the modules in your app. These secrets are delivered to the container running your app at initialization time. This setup ensures that only the owner of a Humanitec platform app can access the secrets.

How to set secrets for modules

If you have already created an app on the platform with one or more modules, then you can set the secrets for each module.

  1. Log in to to the Humanitec platform.
  2. Switch to the app where you want to set the secrets.
  3. Click on the module whose secrets you want to set.
  4. The module configuration screen will load. Scroll down to the Secrets section. Enter the key name for your secret in the left input field, and enter its value in the right input field.
    Screenshot: Filling in a secret
  5. Click Create.
  6. Click Close in the top right corner and then re-deploy your app.

Now the module can access the secret as an environment variable in the Pod where it runs.

Once you create a secret, it will display as hidden by default whenever you load the Secrets section again.

Note that you must define secrets for each environment separately—secrets are not promoted when you create a new environment.

Best practices

We recommend the following best practices for managing your secrets:

  • Never commit secrets to a source code repository. Anyone with access to the repository will have access to the secrets.
  • Do not store secrets in the module’s configuration map (under the “Variables” section).
  • Ensure that your secrets are difficult to guess or crack.
  • Do not reuse secrets among modules.