API ReferenceHelp Center and Knowledge BaseDownload CLIGo to AppBook a Demo

Secrets

Securely manage sensitive data used by your blueprints

Overview

Secrets let you store and manage sensitive values like API keys, credentials, or tokens at the environment level. They ensure that confidential information is safely injected into deployments without ever exposing it in blueprints, logs, or UI fields.

By managing secrets centrally, you make it easier to reuse blueprints securely while maintaining strict control over who can access or update sensitive values.

How Environment Secrets Work

  • Automatic Injection: When a blueprint references a secret key that exists in the environment, the secret’s value is automatically injected at runtime.

  • Scoped by Environment: Each environment has its own isolated secret store, ensuring that secrets never leak across environments.

  • Hidden by Design: Secret values are encrypted, never displayed in plain text, and cannot be retrieved once saved.

  • Version-Aware: If you update a secret, new deployments automatically use the latest value, while existing ones remain unaffected.

  • Access-Controlled: Only users with the right permissions can create, update, or delete secrets. Others can reference them but not view their values.

How to use Secrets In Blueprints

Secrets are defined at the environment level and then referenced inside blueprints. Once set, they can be dynamically injected at runtime by the Bluebricks Orchestrator.

Step 1: Create a Secret

  1. Navigate to the desired Environment page.

  2. Select Secrets from the left-side menu.

  3. Click Create Secret.

  4. Enter the secret name (key) and value — for example, max_password_age.

  5. Click Save.

Once saved, the value is encrypted and hidden. You can update it later, but you won’t be able to view it again.

Step 2: Reference the Secret in bricks.json

In your blueprint’s bricks.json, reference the secret using the Secrets keyword followed by the secret’s key.

Example

{
  "name": "@bluebricks/aws_iam_policy",
  "version": "1.0.0",
  "packages": {
    "iam_password_policy": {
      "name": "terraform_aws_iam_account_policy",
      "version": "1.0.3",
      "props": {
        "max_password_age": {
          "value": "Secrets.max_password_age"
        },
        "minimum_password_length": {
          "value": 14
        }
      }
    }
  }
}

Here, the max_password_age property securely pulls its value from the environment’s max_password_age secret during runtime.

When a deployment runs, the Bluebricks Orchestrator generates a secrets map for the target environment. Each property in the blueprint that references Secrets.<key> is automatically replaced with the corresponding secret’s value.

Secrets are never logged, never exposed, and only available at runtime within the secure execution context

Managed Encryption Keys

Bluebricks currently supports two options for the secrets encryption key:

  1. Bluebricks Managed Key: Encryption key generated by Bluebricks. To enable this option please contact suport

  2. Bring Your Own Key: Generate your own KMS key for the platform. Bluebricks currently support Amazon KMS regardless of your cloud providers for secrets Encryption. You can read more in this article.

PreviousPropertiesNextPackages

Last updated

Was this helpful?