Secrets

Store and manage sensitive values like API keys and credentials at the collection level

Overview

Secrets let you store sensitive values like API keys, credentials, or tokens at the collection level so they can be securely injected into blueprints at runtime.

By managing secrets centrally, you make it easier to reuse blueprints securely while maintaining strict control over who can access sensitive values.

How collection secrets work

Automatic injection: when a blueprint references a secret key that exists in the collection, the value is injected at runtime
Scoped by collection: each collection has its own isolated secret store; secrets never leak across collections
Write-once: secret values are encrypted and cannot be viewed or edited after creation. To change a secret, delete it and create a new one.
Access-controlled: only users with the right permissions can create or delete secrets. Others can reference them but not view their values.

Secrets are never logged, never displayed in plain text, and only available at runtime within the secure execution context.

How to use secrets in blueprints

Creating a secret

Navigate to the desired collection page
Select Secrets from the left side menu
Click Create Secret
Enter the secret name (key) and value
Click Save

Once saved, the value is encrypted and hidden. You cannot view it again.

Secret names cannot contain hyphens (-). Use underscores instead (e.g., max_password_age).

Referencing secrets in bricks.json

In your blueprint's bricks.json, reference a secret using the Secrets keyword followed by the secret's key.

Example bricks.json referencing a secret

{
  "name": "@bluebricks/aws_iam_policy",
  "version": "1.0.0",
  "packages": {
    "iam_password_policy": {
      "name": "terraform_aws_iam_account_policy",
      "version": "1.0.3",
      "props": {
        "max_password_age": {
          "value": "Secrets.max_password_age"
        },
        "minimum_password_length": {
          "value": 14
        }
      }
    }
  }
}

The max_password_age property pulls its value from the collection's max_password_age secret during runtime. The Bluebricks orchestrator generates a secrets map for the target collection and replaces each Secrets.<key> reference with the corresponding value.

To delete a secret, click the three-dot menu on the secret row and select Delete.

Managed encryption keys

Bluebricks supports two options for secrets encryption:

Bluebricks Managed Key: encryption key generated by Bluebricks. Contact support to enable this option.
Bring Your Own Key: generate your own KMS key for the platform. Bluebricks supports Amazon KMS regardless of your cloud provider for secrets encryption. See the AWS KMS documentation for details.

PreviousProperties NextPolicies

Last updated 15 days ago

Was this helpful?

Good afternoon

hashtagOverview

hashtagHow collection secrets work

hashtagHow to use secrets in blueprints

hashtagCreating a secret

hashtagReferencing secrets in bricks.json

hashtagManaged encryption keys

Overview

How collection secrets work

How to use secrets in blueprints

Creating a secret

Referencing secrets in bricks.json

Managed encryption keys