When building tasks, you'll often need to pass in sensitive configuration values such as a database password or an API key. Airplane provides built-in ways to do this, as well as easy integration with existing secret stores.
Note that with all secrets, regardless of where they're stored, users with Developer or Admin roles can deploy tasks that expose parameters and secrets (e.g. by printing them out). If necessary, teams should restrict who has access to Developer role or Admin role. And developers should take care to avoid printing out sensitive information, just like with any normal production service.
Using config variables
Airplane config variables offer a built-in mechanism for storing and managing secrets. All config variables are stored encrypted at rest, and config variables marked as secret will not be displayed to end users in the UI.
Built-in secret management on Airplane
Using external secret stores
Airplane tasks are written in code and support external dependencies, so it's possible to integrate with your secret store of choice instead of using config variables.
For details and examples, see the guides below:
You can couple an external secret store with self-hosted agents to minimize the sensitive data that leaves your systems.