Managing Secrets

Secrets management is a critical component of application security in Quant Cloud. The platform provides encrypted storage and secure injection of sensitive data like API keys, database passwords, certificates, and authentication tokens into your containers as environment variables.

Secrets are managed through the Environment & Secrets tab on your environment details page, where they’re stored in an encrypted secret store that provides enhanced security compared to standard environment variables.

Caution

Changes to secrets require an environment redeployment to take effect in running containers. Plan secret updates carefully, especially for production environments.

Note

Secret values are write-only for security. Once a secret is created or updated, its value cannot be viewed again through the interface. Store secret values securely outside the platform if you need to reference them later.

Managing Secrets

Viewing Secret Names The interface displays the names (keys) of all secrets defined for your environment. Secret values are never displayed for security reasons - only the secret names are visible.

Adding New Secrets Click “Add Secret” to create a new secret. You’ll need to provide:

• Name: The secret identifier (e.g., STRIPE_API_KEY, JWT_SECRET, OAUTH_CLIENT_SECRET)

  • Must be unique within the environment
  • Cannot conflict with environment variable names
  • Follow standard naming conventions (uppercase, underscores, alphanumeric)

• Value: The sensitive data to be encrypted and stored securely

Updating Existing Secrets To update a secret’s value, select the secret and provide a new value. The secret name cannot be changed - to rename a secret, delete the existing one and create a new secret with the desired name.

Removing Secrets Delete secrets that are no longer needed. Ensure no containers are referencing the secret before deletion to avoid runtime errors.

How Secrets Work

Automatic Injection as Environment Variables Secrets are automatically injected into all containers within the environment as environment variables. Unlike standard environment variables, secrets are encrypted at rest and securely delivered to your containers at runtime.

Environment Variable Mapping You can also create custom mappings for secrets through individual container configuration:

1. Navigate to your environment’s “Edit Config” page
2. Expand the container you want to configure
3. Enable “Show Advanced Options” to reveal the secrets section
4. Map secrets to specific environment variable names within that container

Each mapping allows you to:

• Choose the secret from your environment’s secret store
• Specify the environment variable name as it will appear inside the container
• Override the default naming if needed for your application

Environment Isolation Secrets are not automatically propagated between environments. Each environment maintains its own independent secret store, ensuring that:

• Production secrets remain isolated from development environments
• Different API keys can be used for different environments
• Secret rotation can be performed per environment as needed

Tip

This isolation is a security feature that prevents accidental exposure of production credentials in development or staging environments. You must explicitly configure secrets for each environment where they’re needed.

Automatic Database Secrets

When you enable a managed database for your application, Quant Cloud automatically creates and manages database connection secrets for you:

• DB_HOST: Database server hostname
• DB_USERNAME: Database username
• DB_PASSWORD: Database password
• DB_DATABASE: Database name

These secrets are automatically injected into all containers in the environment, providing secure database connectivity without manual configuration. The database credentials are unique to each environment and automatically rotated as needed.

Note

Database secrets are managed automatically by the platform. You don’t need to create or update these secrets manually - they’re provisioned when the database is created and maintained throughout the database lifecycle.

Security Benefits

Encryption at Rest All secret values are encrypted using industry-standard encryption before being stored. Secret values are never stored in plain text.

Secure Transmission Secrets are securely transmitted to containers using encrypted channels, ensuring sensitive data is protected in transit.

Access Control Secret values are never displayed in logs, process lists, or the management interface after creation. Only authorized containers can access secret values at runtime.

Audit Trail Secret management operations (creation, updates, deletion) are logged for security auditing and compliance purposes.

Best Practices

Secret Naming

• Use descriptive names that indicate the secret’s purpose (e.g., STRIPE_SECRET_KEY, JWT_SIGNING_SECRET)
• Follow consistent naming conventions across your organization
• Group related secrets with prefixes (e.g., OAUTH_CLIENT_ID, OAUTH_CLIENT_SECRET)

Secret Rotation

• Regularly rotate API keys and passwords
• Update secrets in all relevant environments when rotating
• Test applications after secret updates to ensure connectivity

Environment Strategy

• Use different secrets for each environment (development, staging, production)
• Never share production secrets with non-production environments
• Implement least-privilege access by environment

Value Management

• Store backup copies of critical secrets in a secure password manager
• Document the purpose and source of each secret
• Remove unused secrets to minimize security exposure

Caution

Remember that secret values cannot be retrieved once stored. Ensure you have secure backup copies of critical secrets before creating them in the platform.

Secrets provide the foundation for secure application configuration, ensuring that sensitive data is protected while remaining easily accessible to your applications at runtime.