Skip to main content

What to use when

Tinfoil Containers supports two different kinds of configuration values:
Environment variablesSecrets
Stored intinfoil-config.yml (in your repo)Encrypted storage (AWS Secrets Manager)
Visible toAnyone with repo accessTinfoil infrastructure, no public access
Set viaConfig fileDeclared in config, set in dashboard only
Use forNon-sensitive config (ports, log levels, feature flags)Sensitive values (API keys, database URLs, tokens)
Environment variables and secrets are both declared in the config. Env var values are also set in the config file; secret values are set in the dashboard.

Environment variables

Config File

Define environment variables in the env field of your container configuration file:
tinfoil-config.yml
containers:
  - name: api
    image: ghcr.io/myorg/api-server
    env:
      - PORT: "8080"
      - LOG_LEVEL: "info"
      - NODE_ENV: "production"

Dashboard

During deployment, the dashboard displays the environment variables (and secret names) defined in your tinfoil-config.yml. These values are read-only. To change them, update the config file in your repo and release a new version via the Tinfoil Release workflow.

Secrets

Secrets are stored in AWS Secrets Manager and injected into your container as environment variables at deploy time. They are not exposed in the dashboard UI or your Git repository, but they are accessible to Tinfoil’s infrastructure during deployment.
Your secrets are visible to Tinfoil. If your threat model requires that Tinfoil cannot access certain values, contact us about your usecase.

Creating

  1. Go to the Secrets tab in the Containers section of the dashboard
  2. Click Add Secret
  3. Enter a name (e.g. DATABASE_URL) and value
  4. Click Save
Secrets are scoped to your organization. Any member of the org can configure any container to use them.

Referencing

List secret names in the secrets field of your container spec. The values are pulled from your org’s secret store at deploy time:
tinfoil-config.yml
containers:
  - name: api
    image: ghcr.io/myorg/api-server
    env: # ...
    secrets:
      - DATABASE_URL
      - STRIPE_SECRET_KEY
When deploying a container, the dashboard shows which secrets your config references. If your config references a secret that doesn’t exist yet, the dashboard warns you and prevents deployment until it’s created.

Updating

Edit a secret’s value in the Secrets tab at any time. Updating a secret does not automatically update running containers. To pick up the new value you must redeploy. Redeployment uses the blue-green flow, so there’s no downtime.
The dashboard shows a stale secrets indicator on containers that were deployed before their secrets were last updated.

Deleting

You cannot delete a secret that is referenced by any container. The dashboard shows which containers are using it. Delete all deployments that are currently using the secret, then delete the secret.

Using the CLI

The Tinfoil CLI manages secrets through the same vault: 
tinfoil secret list

# Create — read the value from a file or stdin to avoid shell history
tinfoil secret create DATABASE_URL --value-file ./db.url
echo -n "$STRIPE_KEY" | tinfoil secret create STRIPE_SECRET_KEY --value-file -

# Rotate (containers using it are marked stale; redeploy to pick up the new value)
tinfoil secret set DATABASE_URL --value-file ./db.url

# Inspect (the value itself is never returned)
tinfoil secret get DATABASE_URL

# Delete (fails if any container references it)
tinfoil secret delete DATABASE_URL
Reference secrets at deploy time with --secret NAME on tinfoil container create, relaunch, or start. See the CLI secrets section for details.