|
| 1 | +# Managing Secrets and Env Vars |
| 2 | + |
| 3 | +This gateway enforces secret masking at the proxy layer for every client (web UI, Convox CLI, scripts). Masking is always applied by default. To intentionally view plaintext values, you must be authorized and explicitly request secrets via the gateway. |
| 4 | + |
| 5 | +## How masking works |
| 6 | + |
| 7 | +- The gateway masks values for variables commonly treated as secrets (e.g., keys, passwords, tokens). It also respects an allowlist of additional secret keys via `CONVOX_SECRET_ENV_VARS` (comma‑separated key names). |
| 8 | +- To see unmasked values, your account must have the `secrets:view` permission (assigned via RBAC), and you must pass `--secrets` to the CLI. |
| 9 | + |
| 10 | +## Use `convox-gateway env` to request plaintext |
| 11 | + |
| 12 | +The `convox-gateway` CLI exposes an `env` command that talks to the gateway API. Masking is applied by default; pass `--secrets` to request plaintext if you have permission. |
| 13 | + |
| 14 | +Examples below assume you have logged in and selected a rack with: |
| 15 | + |
| 16 | +```bash |
| 17 | +convox-gateway login <rack> <gateway-origin> |
| 18 | +``` |
| 19 | + |
| 20 | +### List env vars (masked by default) |
| 21 | + |
| 22 | +```bash |
| 23 | +# Masked output |
| 24 | +convox-gateway env -a myapp |
| 25 | + |
| 26 | +# Unmasked if you have permission |
| 27 | +convox-gateway env --secrets -a myapp |
| 28 | +``` |
| 29 | + |
| 30 | +### Get a single key |
| 31 | + |
| 32 | +```bash |
| 33 | +# Masked by default |
| 34 | +convox-gateway env get DATABASE_URL -a myapp |
| 35 | + |
| 36 | +# Unmasked (requires secrets:view permission) |
| 37 | +convox-gateway env get DATABASE_URL --secrets -a myapp |
| 38 | +``` |
| 39 | + |
| 40 | +### Set / unset env vars |
| 41 | + |
| 42 | +`convox-gateway` provides aliases that delegate to the Convox CLI for writes: |
| 43 | + |
| 44 | +```bash |
| 45 | +# Set (delegates to: convox env set) |
| 46 | +convox-gateway env set FOO=bar OTHER=baz -a myapp --promote |
| 47 | + |
| 48 | +# Unset (delegates to: convox env unset) |
| 49 | +convox-gateway env unset FOO -a myapp --promote |
| 50 | +``` |
| 51 | + |
| 52 | +Notes: |
| 53 | +- Writes occur via the Convox CLI, so they follow Convox semantics (release creation, optional `--promote`, etc.). |
| 54 | +- Reads happen via the gateway, with masking applied unless `--secrets` is provided and authorized. |
| 55 | + |
| 56 | +## Convox CLI behavior |
| 57 | + |
| 58 | +- `convox env` (Convox CLI through the gateway): returns masked values by default, with masking enforced by the gateway. The native Convox CLI does not provide an "unmask" option via the gateway. |
| 59 | +- To view plaintext values (when authorized), use `convox-gateway env --secrets`. |
| 60 | + |
| 61 | +## Tips |
| 62 | + |
| 63 | +- Avoid pasting unmasked secrets into terminals or logs. Prefer masked reads unless you explicitly need plaintext (`--secrets`). |
| 64 | +- For scripting, parse JSON from the gateway API directly if needed; the CLI prints key=value lines for quick inspection. |
| 65 | +- Add extra sensitive keys to `CONVOX_SECRET_ENV_VARS` to ensure they are masked by default. |
0 commit comments