Secrets and Fly Apps

Specify secrets for your Fly App using the fly secrets command. Secrets allow sensitive values, such as credentials, to be passed securely to your Fly App. The secret is encrypted and stored in a vault. An app’s secrets are available as environment variables at runtime on every Machine belonging to that Fly App, whether the Machine managed by Fly Launch or not.

Data stored as secrets doesn’t have to be sensitive; secrets are made available to the app as environment variables to use for whatever purpose you like.

If you need secrets to be available when building your Docker image, see Build secrets.

Architecture

Secrets are stored in an encrypted vault. When you set a secret through flyctl, it sends the secret value through our API, which writes to the vault for your specific Fly App. The API servers can only encrypt; they cannot decrypt secret values. Secret values are never logged.

When we launch a Machine for your app, we issue a temporary auth token to the host it runs on. The Fly.io agent on the host uses this token to decrypt your app secrets and inject them into your Machine as environment variables at boot time. When you destroy your Machines, the host environment no longer has access to your app secrets.

Warning: flyctl and our API servers are designed to prevent user secrets from being extracted. However, secrets are available to your application code as environment variables. People with deploy access can deploy code that reads secret values and prints them to logs, or writes them to unencrypted data stores.

Set secrets

The fly secrets set command sets one or more app secrets, then updates each Machine belonging to that Fly App. This involves a restart of the Machine and a consequent reset of its ephemeral file system.

The following example sets a secret that’s available as the DATABASE_URL environment variable within your application processes:

fly secrets set DATABASE_URL=postgres://example.com/mydb 

To set, or update, a secret in the app’s vault, but defer updating the Machines to later, use the --stage option. For example:

fly secrets set DATABASE_URL=postgres://example.com/mydb --stage

In the preceding example, the staged secret will be available only on Machines that are started or updated after the fly secrets set command was run.

The secrets command can also take secrets from STDIN. For commands and options, see the fly secrets docs or run fly secrets --help.

Note: You can update a machine by triggering a new release with fly deploy. Alternatively, the fly secrets deploy command will redeploy the current release with the staged secrets. This is helpful if you want to skip rebuilding the image from source code.

List secrets

List secrets that are set for your app. The list shows only the secret name; the value is not shown as it is a secret.

For example:

fly secrets list
      NAME     |              DIGEST              |  DATE
+--------------+----------------------------------+---------+
  MY_SECRET    | b9e37b7b239ee4aefc75352fe3fa6dc6 | 17s ago
  DATABASE_URL | cdbe3268a82bfe993921b9cae2a526af | 17s ago

For security reasons, we do not allow read access to the plain-text values of secrets.

Remove secrets

Remove one or more secret values from your app by name.

The following example removes two secrets from the app:

fly secrets unset MY_SECRET DATABASE_URL