Skip to main content

Environment variables vs secrets

Tinfoil Containers supports two kinds of configuration values:
Stored inVisible toSet viaUse for
Environment variablestinfoil-config.yml (in your repo)Anyone with repo accessConfig fileNon-sensitive config (ports, log levels, feature flags)
SecretsEncrypted storage (AWS Secrets Manager)Tinfoil infrastructure, no public accessDeclared in config, set in dashboard onlySensitive values (API keys, database URLs, tokens)
Environment variables and secrets must be declared in the config. Env var values are set in the config file; secret values are set in the dashboard.

Environment variables

In your config file

Define environment variables in the env field of your container spec:
tinfoil-config.yml
containers:
  - name: api
    image: ghcr.io/myorg/api-server
    env:
      - PORT=8080
      - LOG_LEVEL=info
      - NODE_ENV=production

In the dashboard

During deployment, the dashboard displays the environment variables (and secret names) defined in your tinfoil-config.yml. These values are read-only. To change them, update the config file in your repo and push a new tag.

Secrets

Secrets are stored in AWS Secrets Manager and injected into your container as environment variables at deploy time. They are not exposed in the dashboard UI or your Git repository, but they are accessible to Tinfoil’s infrastructure during deployment.
Secrets are not protected by the enclave’s confidentiality boundary. They pass through the host on their way into the container. If your threat model requires that Tinfoil cannot access certain values, those values should be encrypted application-side before storing them as secrets.

Creating secrets

  1. Go to the Secrets tab in the Containers section of the dashboard
  2. Click Add Secret
  3. Enter a name (e.g. DATABASE_URL) and value
  4. Click Save
Secrets are scoped to your organization. Any member of the org can configure any container to use them.

Referencing secrets in config

List secret names in the secrets field of your container spec. The values are pulled from your org’s secret store at deploy time:
tinfoil-config.yml
containers:
  - name: api
    image: ghcr.io/myorg/api-server
    secrets:
      - DATABASE_URL
      - STRIPE_SECRET_KEY

Selecting secrets during deployment

When deploying a container, the dashboard shows which secrets your config references. Select the secrets your container needs access to. If your config references a secret that doesn’t exist yet, the dashboard warns you and prevents deployment until it’s created.

Updating secrets

Edit a secret’s value in the Secrets tab at any time. Note that updating a secret does not automatically update running containers. You need to redeploy for containers to pick up the new value.
The dashboard shows a stale secrets indicator on containers that were deployed before their secrets were last updated. Redeploy the container to pick up the new values.

Deleting secrets

You cannot delete a secret that is referenced by any container. The dashboard shows which containers are using it. Delete all deployments that are currently using the secret, then delete the secret.