Secret management using environment variables


Using environment variables to provide secrets like database passwords, bearer tokens has many advantages in on-premise set ups, including:

  • Easily automate rotating secret credentials
  • Keeping sensitive information secret

Using env variables for database credentials

  1. Start off by defining an environment variable RETOOL_EXPOSED_DB_PASSWORD with the value being your database connection string. Depending on how you have set up your Retool, you may need to restart the docker container.



In order to avoid leaking potentially sensitive environment variables we only allow users to read environment variables with the RETOOL_EXPOSED_ prefix.

  1. Create a new Postgres connection, and choose to use the connection string format. Then fill it out as below.

In the above, we used replaced what would have normally been the database password with %RETOOL_EXPOSED_DB_PASSWORD%

Note: this works for any field that you define - so you could even use environment variables when configuring the headers you send in an API request.

  1. Press save, and Retool is now configured to use the provided database password from the environment.


Do I need to restart Retool after changing the environment variable?

In most cases, you will need to restart the container when you modify the environment variables.

Did this page help you?