secrets.yml FAQ

Secret values like API keys, passwords, and SSH credentials must never appear in version control. Store these in environment variables, encrypted files, or secrets management systems. Commit a .env.example file instead of .env.

Use Docker's --env-file flag with a .env file, or mount a secrets volume. Example:

docker run \\
  -e DB_PASSWORD=$DB_PASSWORD \\
  --env-file=.env \\
  myapp-image
                

Yes! Use the cloud provider's secrets manager (e.g., AWS Secrets Manager in Lambda) or inject runtime environment variables. The secrets.yml file will reference them as environment variables:

lambda_function.py
------------------
import os

API_KEY = os.getenv('AWS_LAMBDA_API_KEY')