Secrets Management
Securely manage and reference secrets from AWS Secrets Manager, Azure Key Vault, and GCP Secret Manager in your Terraform code.
What is Secrets Management?
ops0 integrates with cloud-native secret management services to help you securely handle sensitive values like API keys, database passwords, and certificates in your infrastructure code. Instead of hardcoding secrets, you can reference them from your cloud provider's secret manager.
Supported Secret Managers:
- AWS Secrets Manager
- Azure Key Vault
- GCP Secret Manager
How It Works
Connect cloud integration
Link your AWS, Azure, or GCP account to your IaC project.
Create secrets in your cloud provider
Use your cloud provider's console or CLI to create secrets tagged with ops0-managed.
Reference secrets in Terraform
ops0 displays available secrets that you can reference in your code.
Deploy securely
Secret values are injected at deployment time without exposing them in logs or UI.
AWS Secrets Manager
AWS Secret Manager Prerequisites
- AWS integration connected to your project
- Secrets tagged with
ops0-managed: trueor name prefixops0-
Viewing Available Secrets
Open Project
Open your IaC project.
Open Outputs/Secrets
Click the Outputs/Secrets button in the toolbar.
Select Tab
Switch to the Secrets tab.
Choose Provider
Select AWS as the provider.
ops0 displays all secrets from AWS Secrets Manager that match the filter criteria.
Create AWS Secrets with Terraform
resource "aws_secretsmanager_secret" "database_password" {
name = "ops0-${var.project_name}-db-password"
description = "Database master password"
tags = {
"ops0-managed" = "true"
"ops0-project" = var.project_name
"environment" = "production"
}
}
resource "aws_secretsmanager_secret_version" "database_password" {
secret_id = aws_secretsmanager_secret.database_password.id
secret_string = random_password.db_password.result
}
Reference AWS Secrets
Use the aws_secretsmanager_secret_version data source to reference existing secrets:
data "aws_secretsmanager_secret_version" "api_key" {
secret_id = "ops0-my-project-api-key"
}
resource "aws_lambda_function" "api" {
function_name = "my-api"
environment {
variables = {
API_KEY = data.aws_secretsmanager_secret_version.api_key.secret_string
}
}
}
Azure Key Vault
Azure Key Vault Prerequisites
- Azure integration connected to your project
- Key Vault accessible to your Azure service principal
- Secrets labeled with
ops0-managed: true
Authentication
ops0 uses your Azure service principal credentials to access Key Vault. Ensure your service principal has the Key Vault Secrets User role:
az role assignment create \
--role "Key Vault Secrets User" \
--assignee <service-principal-id> \
--scope /subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.KeyVault/vaults/<vault-name>
Create Azure Secrets with Terraform
resource "azurerm_key_vault_secret" "database_password" {
name = "ops0-${var.project_name}-db-password"
value = random_password.db_password.result
key_vault_id = azurerm_key_vault.main.id
tags = {
"ops0-managed" = "true"
"ops0-project" = var.project_name
"ops0-secret-type" = "database-password"
}
}
Reference Azure Secrets
data "azurerm_key_vault_secret" "api_key" {
name = "ops0-my-project-api-key"
key_vault_id = azurerm_key_vault.main.id
}
resource "azurerm_linux_web_app" "app" {
name = "my-app"
resource_group_name = azurerm_resource_group.main.name
location = azurerm_resource_group.main.location
service_plan_id = azurerm_service_plan.main.id
app_settings = {
"API_KEY" = data.azurerm_key_vault_secret.api_key.value
}
}
GCP Secret Manager
GCP Secret Manager Prerequisites
- GCP integration connected to your project
- Secrets labeled with
ops0_managed: true - Service account with Secret Manager Secret Accessor role
Service Account Permissions
Ensure your GCP service account has the required role:
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="serviceAccount:SERVICE_ACCOUNT_EMAIL" \
--role="roles/secretmanager.secretAccessor"
Create GCP Secrets with Terraform
resource "google_secret_manager_secret" "database_password" {
secret_id = "ops0-${var.project_name}-db-password"
labels = {
ops0_managed = "true"
ops0_project = var.project_name
environment = "production"
}
replication {
auto {}
}
}
resource "google_secret_manager_secret_version" "database_password" {
secret = google_secret_manager_secret.database_password.id
secret_data = random_password.db_password.result
}
Reference GCP Secrets
data "google_secret_manager_secret_version" "api_key" {
secret = "ops0-my-project-api-key"
}
resource "google_cloud_run_service" "api" {
name = "my-api"
location = "us-central1"
template {
spec {
containers {
image = "gcr.io/my-project/api:latest"
env {
name = "API_KEY"
value = data.google_secret_manager_secret_version.api_key.secret_data
}
}
}
}
}
Viewing Secrets in ops0
Accessing the Secrets Panel
Navigate to Project
Navigate to your IaC project.
Open the Outputs and Secrets Panel
Click Outputs/Secrets in the toolbar.
Switch Tab
Switch to the Secrets tab.
Select Provider
Select your cloud provider (AWS/Azure/GCP).
Secret Information Displayed
| Field | Description |
|---|---|
| Secret name | The unique identifier |
| Resource type | Secret, API key, certificate, etc. |
| Provider | AWS, Azure, or GCP |
| Masked value | Secrets are never displayed in plain text |
Copying Secret Values
Secret values are never displayed in the ops0 UI. Clicking "Copy" securely retrieves the value and places it in your clipboard.
To copy a secret value:
Click Copy
Click the Copy button next to the secret.
Value Copied
The value is securely fetched and copied to your clipboard.
Paste
Paste into your local development environment as needed.
Security Best Practices
Use cloud-native secret managers
Never store secrets in Terraform variables or hardcode them in your code.
Tag all secrets
Always tag secrets with ops0-managed to make them discoverable and manageable.
Rotate secrets regularly
Set up automatic rotation policies in your cloud provider's secret manager.
Limit access with IAM
Grant the minimum required permissions to service principals and users.
Audit secret access
ops0 logs all secret retrievals for compliance and security auditing.
Filtering and Organization
Naming Convention
Use a consistent naming pattern for ops0-managed secrets:
ops0-{project-name}-{secret-type}
Examples:
ops0-my-app-db-passwordops0-my-app-api-keyops0-my-app-tls-cert
Labeling/Tagging
Add metadata to secrets for better organization:
AWS:
tags = {
"ops0-managed" = "true"
"ops0-project" = "my-app"
"environment" = "production"
"secret-type" = "database-password"
}
Azure:
tags = {
"ops0-managed" = "true"
"ops0-project" = "my-app"
"ops0-secret-type" = "database-password"
}
GCP:
labels = {
ops0_managed = "true"
ops0_project = "my-app"
secret_type = "database_password"
}
Troubleshooting
Secrets not appearing in ops0
Check:
- Secrets are tagged/labeled with
ops0-managed: trueor prefixed withops0- - Cloud integration is connected to your project
- IAM permissions allow secret listing (e.g.,
secretsmanager:ListSecretsfor AWS)
"Access Denied" when retrieving secret value
Solutions:
- Verify service principal has read permissions to the specific secret
- For AWS: Check IAM policy includes
secretsmanager:GetSecretValue - For Azure: Ensure Key Vault Secrets User role is assigned
- For GCP: Verify Secret Manager Secret Accessor role
Secret value is outdated
Secret values are retrieved in real-time. If a value appears outdated:
- Refresh the secrets list
- Verify the secret version in your cloud provider console
- For GCP, check that you're accessing the
latestversion