Secrets
Securely store and manage sensitive configuration values.
Secrets store sensitive values like API keys, passwords, and tokens. They are encrypted at rest in Kubernetes and can be referenced by your services as environment variables.
Secret types
| Type | Created by | Description |
|---|---|---|
| Custom | You | User-defined key-value pairs |
| Database credentials | Auto | Generated when a database is created |
| Registry credentials | Auto | Generated when a VPC is created |
Creating a secret
- Go to your VPC's Secrets section
- Click Create Secret
- Enter a name and add key-value pairs:
API_KEY = sk-abc123def456
WEBHOOK_SECRET = whsec_xyz789- Click Create
Secret values are write-only — once saved, they cannot be viewed in the dashboard. You can update or delete individual keys.
Referencing secrets in services
To use a secret in a service, link it as an environment variable:
- Go to your service's Environment Variables tab
- Add a variable and choose Link from secret
- Select the secret and the key you want
- Save and redeploy
The secret value is injected into your container at startup via Kubernetes secretKeyRef.
Auto-generated secrets
Database credentials
When you create a database, SMLL creates a secret with:
| Key | Description |
|---|---|
POSTGRES_USER | Database username |
POSTGRES_PASSWORD | Database password |
POSTGRES_HOST | Internal hostname |
POSTGRES_PORT | Port number |
POSTGRES_DB | Database name |
DATABASE_URL | Full connection string |
Registry credentials
Each VPC gets a registry secret with:
| Key | Description |
|---|---|
REGISTRY_URL | Registry hostname |
REGISTRY_USER | Registry username |
REGISTRY_PASSWORD | Registry password |
Updating secrets
You can update individual keys within a secret:
- Go to the secret detail page
- Click Edit
- Modify or add keys
- Save
Services referencing the updated secret need to be redeployed to pick up the new values.
Deleting secrets
Secrets that are currently referenced by a service's environment variables cannot be deleted. Remove the references first, then delete the secret.
Best practices
- Never commit secrets to source control — use SMLL secrets instead of
.envfiles in your repository - Scope secrets per service — don't share a single secret across all services if they don't all need the same keys
- Rotate credentials regularly — update secret values and redeploy services to pick up new values
- Use auto-generated database credentials — they're created securely and scoped to the specific database
- Use descriptive key names —
STRIPE_SECRET_KEYis clearer thanKEY_1
Related
- Environment Variables — how to inject secrets into services
- Database Credentials — auto-generated connection secrets