Developer Center

Secrets and configs

Add secrets and configuration values to your apps.


Secrets are used to pass encrypted values to services at run time. Secrets are declarative, and are versioned per commit.

When you add a new secret using pt secrets edit, your secrets are encrypted and pushed to your cloud account. A secrets.yml manifest file is committed in your local directory.

Secrets are declarative and versioned with your code. To rollback secrets, simple roll your service back to a specific git commit using pt deploy.

secrets are encrypted using GCP KMS or AWS KMS.

Adding secrets

Secrets are added interactively using pt secrets edit. This command will lookup the secrets for a service, decrypt them and open a text file with plain yaml to edit:

api_key: secret-key

  api_key: stage-api-key

When you close this file, each secret will be encrypted, stored and your manifest updated.

Adding configs

While secrets are stored in your cloud account as blobs, configs live locally in your code. To add a configuration value for your service, simply add a configs.yml file in your service directory.

db_connections: 10

  db_connections: 1

If both a config and secret exist for the same key, the secret value will take precedence

Environment Overrides

When adding a secret or config, add an environment namespace to apply them to a specific environment:

  key: value

Top level values are considered defaults and applied in all environments.

Accessing secrets and configs in your app

Secrets and configs are exposed to your serverless and container components as both a file and environment variables.

Secrets and configs are written in json format to /settings.json.

Secrets and configs are written as environment variables such as MY_KEYNAME.

To add complex type configs or secrets, we recommend accessing them using the json file format

Built in configs

The following built in configs are added by PowerTools:

  • PT_CONTAINER_PORT - the port at which your container should listen for requests
  • PT_GITREF - the git ref of the deployment
  • PT_SVC - the name of the service
  • PT_COMPONENT - the index of the provided component

Accessing secrets and configs in your build

You can access config or secret values in your builds, using build hooks. Simply add a secret or config using the build namespace, and it will be added as an environment variable to any build hook declared for your service.


Occasionally, you may want to decrypt and resolve settings for a service in a particular environment.

To decrypt secrets: pt secrets decrypt.

To resolve settings pt settings resolve.