Comment on page
Secrets are a storage mechanism for sensitive values. When integrating with external systems you'll often use an API key or token for authentication. These values should be stored as secrets.
The use of secrets is restricted to help protect the values from being exposed. Secrets are only available server-side and are not available in the Appfarm Client. Secrets can be used within services, as well as the Web Request action node in apps (provided Send from Client is not selected).
A secret can have the same value across all environments, or environment-specific values can be set. Setting environment-specific values is particularly useful when you have different API keys for integrating towards a test and production environment.
Changes to secrets have immediate effect and do not require a deploy. To prevent accidental changes you should lock your secrets.
Any user with access to a solution in Appfarm Create can list all the solution's secrets by name. This is necessary in order to be able to specify a secret as a property in an action node.
To see the value of the secret in Appfarm Create you need the permission Read any Secret value. This permission is not needed to run an action node that uses a secret.
Separate permissions are required for modifying secrets:
- Create Secret
- Update any Secret
- Delete any Secret
To update a secret from a service, the role of the user/service account running the service requires permission to update that specific secret, granted under Update Secret from Service. Only secrets marked as Environment Specific and that are unlocked can be updated from a service.
If a bad actor has access to your solution Appfarm Create they can still access your secrets even if their role(s) do not have permission to read secrets. This is possible by using a secret in an app or service and sending it to a target that they control. To help mitigate this issue, we recommend using environment-specific secrets and implementing a review process before deploying.