Secrets Management

Distr provides a centralized secret management system that allows you to securely store sensitive configuration values and reference them in your deployments using template syntax. The secret values are substituted at deploy time — they never appear in your compose files, Helm values, or deployment logs.

What are Secrets?

Secrets are key-value pairs that store sensitive information such as API keys, passwords, database credentials, or any other confidential data that your application needs. Instead of hardcoding these values in environment files or Helm values, you can store them centrally in Distr and reference them using template syntax.

For example, if your application needs a database password, you can create a secret with key DATABASE_PASSWORD and reference it in your deployment configuration:

DATABASE_URL=postgresql://user:{{ .Secrets.DATABASE_PASSWORD }}@host:5432/db

When the deployment is created, the template is automatically replaced with the actual secret value.

Benefits of Using Secrets

Security: Secrets are stored securely and never exposed in deployment logs or configuration files
Centralized Management: Update secrets in one place and have them automatically available to all deployments
Audit Trail: Track who created or updated each secret and when
Access Control: Secrets are scoped to organizations and customer organizations
Log Protection: Secret values are automatically redacted from deployment logs

Creating and Managing Secrets

Accessing the Secrets Page

Navigate to the Distr web interface
Click on Secrets in the sidebar navigation
For vendor organizations: You can manage both vendor-level secrets and customer-specific secrets
For customer organizations: You can only view and manage secrets for your own organization

Creating a Secret

Click the Create Secret button on the Secrets page
Enter a Key for your secret (must start with a letter and contain only alphanumeric characters and underscores)
Enter the Value for your secret
Click Save

Updating a Secret

Find the secret you want to update in the secrets list
Click the Edit button next to the secret
Enter the new value (the key cannot be changed)
Click Save

The updated value will be automatically used in all future deployments. Existing deployments will continue using the old value until they are redeployed.

Deleting a Secret

Find the secret you want to delete in the secrets list
Click the Delete button
Confirm the deletion

Using Secrets in Deployments

Secrets can be referenced in two types of deployment configurations:

Environment Files (`.env`)

Use secrets in your environment files with Go template syntax:

# Reference a secret directly
API_KEY={{ .Secrets.API_KEY }}

# Use secrets in connection strings
DATABASE_URL=postgresql://user:{{ .Secrets.DB_PASSWORD }}@localhost:5432/mydb

# Combine multiple secrets
AUTH_TOKEN={{ .Secrets.CLIENT_ID }}:{{ .Secrets.CLIENT_SECRET }}

Helm Values (YAML)

For Kubernetes deployments, reference secrets in your Helm values:

database:
  host: db.example.com
  password: {{.Secrets.DB_PASSWORD}}

api:
  credentials:
    username: admin
    password: {{.Secrets.ADMIN_PASSWORD}}

config:
  githubToken: {{.Secrets.GITHUB_TOKEN}}

Template Syntax

Secrets use Go’s text/template syntax for substitution.

Basic Secret Reference

{{ .Secrets.SECRET_KEY_NAME }}

The secret key name must match exactly (case-sensitive) with a secret that exists in your organization.

Conditionals

Use if statements to handle optional secrets:

API_URL={{ if .Secrets.API_URL }}{{ .Secrets.API_URL }}{{ else }}https://api.example.com{{ end }}

In YAML:

api:
  url: {{ if .Secrets.API_URL }}{{ .Secrets.API_URL }}{{ else }}https://api.example.com{{ end }}

Combining Secrets

You can combine multiple secrets in a single value:

CREDENTIALS={{ .Secrets.USERNAME }}:{{ .Secrets.PASSWORD }}

Secret Naming Conventions

Secret keys must follow these rules:

Must start with a letter (a-z, A-Z)
Can contain letters, numbers, and underscores
Cannot start with a number or underscore
Cannot contain spaces or special characters (except underscore)

Valid examples:

API_KEY
database_password
GitHubToken123
stripe_api_key_prod

Invalid examples:

_API_KEY (starts with underscore)
123_KEY (starts with number)
API-KEY (contains hyphen)
API KEY (contains space)

Secret Scoping

Secrets are scoped either to a vendor organization or each customer. The scope determines which deployments can use a secret and where you manage it.

Vendor-level secrets

Vendor-level secrets are available to your internal deployments (deployment targets without a customer organization). They are not injected into customer deployments. If a customer deployment needs a credential, create it as a customer-specific secret for that customer.

Use vendor-level secrets for credentials that only your internal infrastructure needs, for example a staging environment token or a third-party API key used in vendor-managed test deployments.

To create or manage vendor-level secrets:

In the Vendor Portal sidebar, click Secrets.
Create, edit, or delete secrets from this view.

Customer-specific secrets

Customer-specific secrets are only available to deployments for one specific customer. Use these for credentials that belong to a single customer, for example a customer’s own database password or an API key specific to their environment.

Customer-specific secrets are managed from the Customers section, not the Secrets page:

In the Vendor Portal sidebar, click Customers.
Find the customer and click Manage secrets next to them.
Create, edit, or delete secrets from this view.

Customer-specific secrets are only injected into that customer’s deployments. They are not available to other customers and do not appear in the vendor-level secrets list.

Customer Organizations

As a customer, you can only create and view secrets for your own organization. In the Customer Portal, navigate to Secrets to manage them. These secrets are only available to your own deployments.

Security Considerations

Log Redaction

Distr automatically redacts secret values from deployment logs. If a log message contains a secret value, it will be replaced with ******** before being displayed or exported.

This protects your secrets even if they accidentally appear in application logs.

Secret Storage

Access Control

Only users with read_write or admin roles can create, update, or delete secrets
All users in an organization can view secret keys (but not values)
Secret values are never returned by the API after creation (only keys and metadata)

Best Practices

Rotate secrets regularly: Update secret values periodically and redeploy affected applications
Use minimal scope: Create customer-specific secrets when possible rather than vendor-wide secrets
Don’t log secrets: Ensure your application code doesn’t intentionally log secret values
Use descriptive keys: Make it clear what each secret is for without revealing sensitive information
Test in non-production first: Verify secret references work correctly before deploying to production

Error Handling

Missing Secrets

If a deployment configuration references a secret that doesn’t exist, the deployment validation will fail with an error:

template execution error: map has no entry for key "SECRET_NAME"

To fix this, create the missing secret or remove the reference from your configuration.

Template Syntax Errors

If your template syntax is invalid, you’ll receive an error during deployment validation:

template parsing error: unexpected "}" in operand

Check your template syntax for missing braces, quotes, or other syntax issues.