Secrets
Learn how to manage sensitive secrets for your app.
The secret commands in Andasy CLI are designed to manage sensitive environment variables and secrets for applications deployed on the Andasy platform. Secrets are sensitive configuration values (like API keys, database passwords, or tokens) that your application needs at runtime but shouldn't be stored in your code or configuration files.
Secrets are encrypted environment variables that are:
- Stored securely - Encrypted at rest and transmitted securely
- Injected at runtime - Made available to your application as environment variables
- Not in code - Kept separate from your application code and configuration files
- Access-controlled - Only accessible to applications and users with proper permissions
Common examples of secrets include:
- Database connection strings and passwords
- API keys for third-party services
- OAuth client secrets
- Encryption keys
- Service account credentials
Using secrets instead of hardcoding sensitive values in your andasy.hcl file keeps your credentials secure and allows you to use different values for different environments (development, staging, production).
Command Syntax
andasy secret [command]
Aliases
The secret command can be invoked using any of the following aliases:
secretenvsecretssec
Available Commands
Secret List
The list command displays all secrets stored for a specified application.
Usage
andasy secret list -a <app-name> [flags]
Aliases
listls
Flags
| Flag | Short Form | Description | Required |
|---|---|---|---|
--app | -a | The target Andasy application name | No |
--config | -c | Path to application configuration file | No |
--help | -h | Display help information for the list command | No |
--json | -j | Output results in JSON format | No |
Example
# List all secrets for an app
andasy secret list
Secret Set
The set command creates or updates secrets for a specified application.
Usage
andasy secret set [flags] NAME=VALUE NAME=VALUE... -a <app-name>
Flags
| Flag | Short Form | Description | Required |
|---|---|---|---|
--app | -a | The target Andasy application name | No |
--config | -c | Path to application configuration file | No |
--help | -h | Display help information for the set command | No |
--json | -j | Output results in JSON format | No |
Examples
# Set a single secret for an app
andasy secret set API_KEY=abc123xyz
# Set multiple secrets at once
andasy secret set DB_USER=admin DB_PASSWORD=secure123 API_KEY=xyz987abc
# Set secrets using a specific config file
andasy secret set STRIPE_KEY=sk_test_123456 -a my-web-api -c ./config/andasy.hcl
Global Flags
The following flags are available across all andasy secret commands:
| Flag | Short Form | Description |
|---|---|---|
--verbose | -v | Enable verbose output for detailed logging |
--json | -j | Output results in JSON format |
Security Best Practices
When working with the andasy secret commands, consider these security recommendations:
-
Never store secrets in version control: Use the
andasy secretcommands instead of hardcoding secrets in yourandasy.hclfiles. -
Limit access to secret management: Only authorized team members should have permission to view or modify secrets.
-
Rotate secrets regularly: Update sensitive credentials periodically using the
setcommand. -
Use different secrets across environments: Maintain separate secrets for development, staging, and production environments.
How Secrets Work
Secrets are stored separately from your application configuration and are automatically injected into your application's environment at runtime. Your application accesses them just like regular environment variables.
Setting Secrets
Secrets are set using the CLI and stored securely on Andasy's platform:
andasy secret set API_KEY=abc123xyz -a my-app
Using Secrets in Your Application
Secrets are automatically available as environment variables in your application. You don't need to reference them in andasy.hcl:
app_name = "my-web-api"
app {
env = {
# Only include non-sensitive environment variables here
NODE_ENV = "production"
LOG_LEVEL = "info"
}
# Secrets are automatically injected - no need to reference them here
}
In your application code, access secrets like any environment variable:
// Node.js example
const apiKey = process.env.API_KEY;
# Python example
import os
api_key = os.environ.get('API_KEY')
The secrets set using the CLI are automatically injected into your application's environment at runtime, so your application code doesn't need any special handling. Just read environment variables as usual.
Common Use Cases
CI/CD Integration
In automated deployment pipelines, you can use the andasy secret set command to dynamically update secrets:
# In a CI/CD pipeline script
andasy secret set VERSION=$BUILD_VERSION DEPLOY_TIME=$(date) -a my-web-api
Database Credentials Management
Store database connection details securely:
andasy secret set \
DB_HOST=postgres.example.com \
DB_PORT=5432 \
DB_USER=app_user \
DB_PASSWORD=highly_secure_password \
-a my-web-api
API Keys Rotation
When rotating API keys, you can easily update them:
# Update an API key
andasy secret set API_KEY=new_key_value -a my-web-api
Troubleshooting
| Issue | Solution |
|---|---|
| Command fails with "App not found" | Verify the app name with andasy apps list |
| Unable to set secrets | Ensure you have proper permissions for the application |
| Secrets not available in app | Check that the app is redeployed after setting new secrets |
Further Resources
- Use
andasy secret [command] --helpfor detailed information about specific commands - Refer to the Andasy documentation for more details about secret management and best practices