To supply secrets to your services, such as various API keys and passwords, prefix the value in the configuration file with !secret.
This will mark the value as sensitive, resulting in it not being shown within the Envirobly dashboard.
To further prevent adding plain text values directly into your deploy.yml file, pull them from other sources instead, using embedded Ruby (ERB). This allows you to fetch data from the local environment or execute programs (like key chains) and capture their output.
services:
blog:
# Reading from a file
RAILS_MASTER_KEY: !secret <%= File.read("config/master.key") %>
# Passing local environment variable
OPENAI_API_KEY: !secret <%= ENV["OPENAI_API_KEY"] %>
# Using output of external program, like 1Password CLI
PASSWORD: !secret <%= `op item get Secret --format json | jq .password`.strip %>
# Passing local environment variable with a fallback if isn't set
VERSION: <%= ENV.fetch("BLOG_VERSION", 45) %>
Notice we don’t put sensitive values into the file directly in plain text. They are pulled from external sources, that are not part of your project’s Git repository.
Here’s an example of what we’re trying to prevent:
services:
blog:
# Don't do this in a production application
INSECURE: !secret mySecretInPlainText
When embedding Ruby code into your deploy config, it’s a good idea to do a deployment dry run, so that you can
check all the values have been populated as you expect. You can do so using the --dry-run argument:
envirobly deploy --dry-run
This will output the compiled deploy config and information where the deployment is headed. This allows you to check how all the dynamic values have been evaluated and any overrides merged on top of the base config.