Managing Secrets
Secrets are sensitive values like API keys, private keys, database URLs, and authentication tokens that your workflow needs to access at runtime. CRE provides different approaches for managing secrets depending on whether you're developing locally or running workflows in production.
This guide helps you choose the right approach for your use case.
Which guide do I need?
Your workflow environment determines how you manage secrets:
1. Local development and simulation
When to use: You're testing and debugging workflows on your local machine using cre workflow simulate.
How it works:
- Secrets declared in
secrets.yaml - Values provided via
.envfile or environment variables - Secrets injected locally by the CLI
- No Vault DON required
→ Follow this guide: Using Secrets in Simulation
2. Deployed workflows
When to use: Your workflow is deployed to the Workflow DON.
How it works:
- Secrets stored in the Vault DON (decentralized secret storage)
- Managed via
cre secretsCLI commands (create,update,delete,list) - Your workflow retrieves secrets from the Vault at runtime
- Vault DON required
→ Follow this guide: Using Secrets with Deployed Workflows
3. Secure secret management (Best practice)
When to use: Any environment where you want to avoid storing secrets in plaintext .env files.
How it works:
- Use 1Password CLI to store and inject secrets
- Secrets never stored in plaintext on your filesystem
- Works for both simulation and production
→ Follow this guide: Managing Secrets with 1Password CLI
Quick comparison
| Aspect | Local Simulation | Deployed Workflows |
|---|---|---|
| Environment | Your local machine | Workflow DON |
| Secret storage | .env file or environment variables | Vault DON |
| CLI commands | None (automatic via simulation) | cre secrets create/update/delete |
| Workflow code | runtime.GetSecret() | runtime.GetSecret() (same API) |
| Authentication | Not required | cre login required |
| Use case | Development and testing | Deployed workflows |
How secrets work in your workflow
Regardless of where secrets are stored (locally or in the Vault), your workflow code uses the same API to access them:
| 1 | const secret = runtime.getSecret({ id: "API_KEY" }).result() |
| 2 | const apiKey = secret.value |
The CRE runtime automatically handles retrieving the secret from the appropriate source based on your environment.
Getting started
- For local development: Start with Using Secrets in Simulation to learn the basics
- For deployed workflows: Once your workflow is ready to deploy, follow Using Secrets with Deployed Workflows
- For enhanced security: Implement 1Password CLI integration to eliminate plaintext secrets
Reference
For detailed CLI command documentation, see:
- Secrets Management CLI Reference — Complete documentation for
cre secretscommands