Manage secrets with the file system
Learn how to use the file system to manage secrets.
Some deployment systems, like Docker swarm and Docker secrets, require secret values to be read from the file system instead of being set through environment variables. For instance, instead of setting a POSTGRES_PASSWORD
in your environment, you point POSTGRES_PASSWORD_FILE
to a text file that contains the password. In these cases, Retool supports reading certain environment variables from the file system.
This feature requires Retool version 2.66.10 or greater. You also need the ability to set non-secret environment variables.
1. Set the RETOOL_LOAD_FILE_SECRETS
environment variable
RETOOL_LOAD_FILE_SECRETS
environment variableAt startup, Retool looks for the configured secret files and sets them as environment variables for running the container, not the entire system. Make sure to set the RETOOL_LOAD_FILE_SECRETS
environment variable to true
. Without this, Retool doesn't load secrets from the file system.
2. Configure environment variables
Instead of adding secrets to the environment directly, add the path to where your secrets are stored on the file system and append _FILE
to the end of each environment variable name. For example, if you want to set the ENCRYPTION_KEY
, you’d set ENCRYPTION_KEY_FILE
to the path on the file system where the file exists.
RETOOL_LOAD_FILE_SECRETS=true
ENCRYPTION_KEY_FILE=/path/to/key
When starting Retool, you can check the logs to verify the environment variables are set:
RETOOL-CONFIG: RETOOL_LOAD_FILE_SECRETS is true, reading the following secrets from the filesystem
RETOOL-CONFIG: Setting ENCRYPTION_KEY via /path/to/key
If you don't see messages similar to this, see the troubleshooting section.
Manage your own secrets
Retool supports managing your own secrets using environment variables prefixed with RETOOL_EXPOSED
. You can use the file system to manage these secrets too.
Instead of using the RETOOL_EXPOSED
prefix, use RETOOL_FILE_EXPOSED
. For example, if you want multiple resources to use your database password, set RETOOL_FILE_EXPOSED_DB_PASSWORD
to the path on the file system.
RETOOL_LOAD_FILE_SECRETS=true
RETOOL_FILE_EXPOSED_DB_PASSWORD=/path/to/db/password
Troubleshooting
Error | Resolution |
---|---|
RETOOL-CONFIG: Error setting SECRET via SECRET_FILE: /path/to/secret_file does not exist | This error means the path in the SECRET_FILE environment variable doesn't exist. Double check the path is accessible to the container running Retool at build time. |
RETOOL-CONFIG: Error setting SECRET via SECRET_FILE: /path/to/secret_file is a directory | This means the path provided in the SECRET_FILE environment variable exists, but isn't a file and can't be used to set the secret. Ensure the path provided in the SECRET_FILE environment variable points to a file and not a directory. |
Supported environment variables
This feature only works with the following environment variables:
CLIENT_SECRET
CUSTOM_API_KEY
CUSTOM_OAUTH2_SSO_CLIENT_SECRET
CUSTOM_OAUTH2_SSO_JWT_EMAIL_KEY
CUSTOM_OAUTH2_SSO_JWT_FIRST_NAME_KEY
CUSTOM_OAUTH2_SSO_JWT_LAST_NAME_KEY
CUSTOM_OAUTH2_SSO_JWT_ROLES_KEY
DATABASE_API_BEARER_TOKEN
DB_API_PASSWORD
ENCRYPTION_KEY
GITHUB_APP_ID
GITHUB_APP_INSTALLATION_ID
GITHUB_APP_PRIVATE_KEY
GITHUB_SYNC_TOKEN
GOOGLE_API_KEY
GOOGLE_CLIENT_SECRET
INTEGRATIONS_BASECAMP_CLIENT_SECRET
INTEGRATIONS_BASECAMP_NEW_DOMAIN_CLIENT_SECRET
INTERCOM_IDENTITY_VERIFICATION_SECRET_KEY
JWT_SECRET
LICENSE_KEY
MAILGUN_API_KEY
OKTA_CLIENT_SECRET
POSTGRES_PASSWORD
REDIS_PASSWORD
RETOOL_SALESFORCE_CONNECTED_APP_CLIENT_SECRET
RT_POSTGRES_PASSWORD
SANDBOX_LAMBDA_API_KEY
SCIM_AUTH_TOKEN
SLACK_API_TOKEN
STRIPE_SECRET_KEY
STRIPE_WEBHOOK_SECRET
Updated 10 months ago