Manage secrets with the file system

Learn how to use the file system to manage secrets.

Some deployment systems, like Docker swarm and Docker secrets, require secret values to be read from the file system instead of being set through environment variables. For instance, instead of setting a POSTGRES_PASSWORD in your environment, you point POSTGRES_PASSWORD_FILE to a text file that contains the password. In these cases, Retool supports reading certain environment variables from the file system.

🚧

This feature requires Retool version 2.66.10 or greater. You also need the ability to set non-secret environment variables.

1. Set the RETOOL_LOAD_FILE_SECRETS environment variable

At startup, Retool looks for the configured secret files and sets them as environment variables for running the container, not the entire system. Make sure to set the RETOOL_LOAD_FILE_SECRETS environment variable to true. Without this, Retool doesn't load secrets from the file system.

2. Configure environment variables

Instead of adding secrets to the environment directly, add the path to where your secrets are stored on the file system and append _FILE to the end of each environment variable name. For example, if you want to set the ENCRYPTION_KEY, you’d set ENCRYPTION_KEY_FILE to the path on the file system where the file exists.

RETOOL_LOAD_FILE_SECRETS=true
ENCRYPTION_KEY_FILE=/path/to/key

When starting Retool, you can check the logs to verify the environment variables are set:

RETOOL-CONFIG: RETOOL_LOAD_FILE_SECRETS is true, reading the following secrets from the filesystem
RETOOL-CONFIG: Setting ENCRYPTION_KEY via /path/to/key

If you don't see messages similar to this, see the troubleshooting section.

Manage your own secrets

Retool supports managing your own secrets using environment variables prefixed with RETOOL_EXPOSED. You can use the file system to manage these secrets too.

Instead of using the RETOOL_EXPOSED prefix, use RETOOL_FILE_EXPOSED. For example, if you want multiple resources to use your database password, set RETOOL_FILE_EXPOSED_DB_PASSWORD to the path on the file system.

RETOOL_LOAD_FILE_SECRETS=true
RETOOL_FILE_EXPOSED_DB_PASSWORD=/path/to/db/password

Troubleshooting

ErrorResolution
RETOOL-CONFIG: Error setting SECRET via SECRET_FILE: /path/to/secret_file does not existThis error means the path in the SECRET_FILE environment variable doesn't exist. Double check the path is accessible to the container running Retool at build time.
RETOOL-CONFIG: Error setting SECRET via SECRET_FILE: /path/to/secret_file is a directoryThis means the path provided in the SECRET_FILE environment variable exists, but isn't a file and can't be used to set the secret. Ensure the path provided in the SECRET_FILE environment variable points to a file and not a directory.

Supported environment variables

This feature only works with the following environment variables:

  • CLIENT_SECRET
  • CUSTOM_API_KEY
  • CUSTOM_OAUTH2_SSO_CLIENT_SECRET
  • CUSTOM_OAUTH2_SSO_JWT_EMAIL_KEY
  • CUSTOM_OAUTH2_SSO_JWT_FIRST_NAME_KEY
  • CUSTOM_OAUTH2_SSO_JWT_LAST_NAME_KEY
  • CUSTOM_OAUTH2_SSO_JWT_ROLES_KEY
  • DATABASE_API_BEARER_TOKEN
  • DB_API_PASSWORD
  • ENCRYPTION_KEY
  • GITHUB_APP_ID
  • GITHUB_APP_INSTALLATION_ID
  • GITHUB_APP_PRIVATE_KEY
  • GITHUB_SYNC_TOKEN
  • GOOGLE_API_KEY
  • GOOGLE_CLIENT_SECRET
  • INTEGRATIONS_BASECAMP_CLIENT_SECRET
  • INTEGRATIONS_BASECAMP_NEW_DOMAIN_CLIENT_SECRET
  • INTERCOM_IDENTITY_VERIFICATION_SECRET_KEY
  • JWT_SECRET
  • LICENSE_KEY
  • MAILGUN_API_KEY
  • OKTA_CLIENT_SECRET
  • POSTGRES_PASSWORD
  • REDIS_PASSWORD
  • RETOOL_SALESFORCE_CONNECTED_APP_CLIENT_SECRET
  • RT_POSTGRES_PASSWORD
  • SANDBOX_LAMBDA_API_KEY
  • SCIM_AUTH_TOKEN
  • SLACK_API_TOKEN
  • STRIPE_SECRET_KEY
  • STRIPE_WEBHOOK_SECRET

Did this page help you?