Why Use External Secrets?
Instead of storing sensitive values directly in Flipt configuration files, external secrets provide:- Enhanced Security: Sensitive data is stored in dedicated secret management systems with proper access controls
- Centralized Management: All secrets managed in one place with audit trails and access policies
- Environment Separation: Different secrets for development, staging, and production environments
- Rotation Support: Easy secret rotation without updating configuration files (coming soon)
- Access Control: Fine-grained permissions for who can access which secrets
Supported Providers
Flipt supports multiple secret providers to fit different deployment scenarios:Weβre working on adding support for more secret providers, including AWS
Secrets Manager, Azure Key Vault, and Google Cloud Secret Manager.
File Provider
Store secrets in local files - ideal for development and simple deployments
HashiCorp Vault
Enterprise-grade secret management with advanced authentication and access
controls
Configuration Overview
Enable secrets management by configuring providers in your Flipt configuration:File Provider
The file provider is the simplest option, storing each secret as an individual file in the configured directory.Configuration
Usage
Create individual secret files in the configured directory. Each file becomes a secret where the filename is the key and the file contents are the value:Each secret is stored as a separate file. The filename becomes the secret key,
and the file contents become the secret value.
HashiCorp Vault Provider
Vault provides enterprise-grade secret management with advanced features like dynamic secrets, encryption as a service, and detailed audit logs.Basic Configuration
Authentication Methods
Token Authentication
Best for development and testing:Kubernetes Authentication
Ideal for Kubernetes deployments:AppRole Authentication
Good for automated systems and CI/CD:Environment Variables
Avoid storing sensitive values in configuration files by using environment variables:Using Secrets in Configuration
Secrets can be referenced throughout your Flipt v2 configuration using the secret reference syntax. Secret references must always include the provider specification.Secret Reference Syntax
Secret references use the format${secret:provider:key}
where:
provider
is the name of the configured secrets provider (e.g.,file
,vault
)key
is the name of the secret to retrieve
File Provider Examples
Vault Provider Examples
Combined with Environment Variables
You can combine secret references with environment variables in the same configuration:Structured Secret References
For more complex scenarios, you can also use the structuredkey_ref
format in configuration sections that support it: