Secrets management
When building tasks, you'll often need to pass in sensitive configuration values such as a database
password or an API key. Airplane provides built-in ways to do this, as well as easy integration with
existing secret stores.
Note that with all secrets, regardless of where they're stored, users with Developer or Admin roles
can deploy tasks that expose parameters and secrets (e.g. by printing them out). If necessary, teams
should restrict who has access to Developer role or Admin
role. And developers should take care to avoid printing out sensitive information, just like with
any normal production service.
Using config variables
Using config variables
Airplane config variables offer a built-in mechanism for storing and managing secrets. All
config variables are stored encrypted at rest, and config variables marked as secret will not be
displayed to end users in the UI.
Config variables
Built-in secret management on Airplane
Using external secret stores
Using external secret stores
Airplane tasks are written in code and support external dependencies, so it's possible to integrate
with your secret store of choice instead of using config variables.
For details and examples, see the guides below:
You can couple an external secret store with self-hosted agents to minimize
the sensitive data that leaves your systems.