dagger/docs/core-concepts/1204-secrets.md

---
slug: /1204/secrets
displayed_sidebar: '0.2'
---

# How to use secrets

Most operations in `client` support handling secrets (see [Interacting with the client](./1203-client.md)). More specifically, you can:

- Write a secret to a file;
- Read a secret from a file;
- Read a secret from an environment variable;
- Read a secret from the output of a command;
- Use a secret as the input of a command.

## Environment

The simplest use case is reading from an environment variable:

```cue
dagger.#Plan & {
    client: env: GITHUB_TOKEN: dagger.#Secret
}
```

## File

You may need to trim the whitespace, especially when reading from a file:

```cue file=../tests/core-concepts/secrets/plans/file.cue

```

## SOPS

There’s many ways to store encrypted secrets in your git repository. If you use [SOPS](https://github.com/mozilla/sops), here's a simple example where you can access keys from an encrypted yaml file:

```yaml title="secrets.yaml"
myToken: ENC[AES256_GCM,data:AlUz7g==,iv:lq3mHi4GDLfAssqhPcuUIHMm5eVzJ/EpM+q7RHGCROU=,tag:dzbT5dEGhMnHbiRTu4bHdg==,type:str]
sops: ...
```

```cue file=../tests/core-concepts/secrets/plans/sops.cue title="main.cue"

```
-												Add the must-have pages for the Europa release

The goal is to capture the shape of the new docs. It is not meant to be
final, but it should be as close as possible. We only want the bare
minimum for new users that on-board with Dagger Europa. As soon as the
new europaSidebar replaces replaces the existing one, the previous docs
will still remain available - doc IDs are unique and permanent. We will
do this by simply changing the default `slug: /` to point to the Europa
Docs entrypoint, which is doc 1200.

Helpful Docusaurus link re multiple sidebars:
https://docusaurus.io/docs/sidebar/multiple-sidebars

The new pages are numbered from `1200` onwards. This is meant to reflect
the `0.2.0` Dagger version. This numbering felt more meaningful than
just continuing to increment existing numbers.

I didn't want to be "wasteful" with the digits and start at `2000`, but
that was my first instinct.

I am keen on getting this live on https://docs.dagger.io/1200/local-ci.
Anything that is not in production, is inventory. Inventory is bad.

The goal is to allow anyone that has a link to get a feel for the new
docs as soon as possible, so that we can all see how they improve in
real-time, and steer them continuously towards the desired state. We
should be aware of the timeline, and not muck about, but instead
evaluate constantly how close are we to "flipping the switch".

Remember, the best releases are those where switches are flipped (e.g.
`--europa)`. The feature will have been out there for weeks (maybe even
months), improved by talking to users and then one day realising that we
are done, and just enabling it by default. It's the same principle
behind these docs.

Signed-off-by: Gerhard Lazu <gerhard@lazu.co.uk>

											
										
										
											2022-02-07 23:16:01 +01:00
+								---
 								slug: /1204/secrets
-												website: hardcode version banner for 0.1 docs

O.1 docs is deprecated. Let's inform user to switch the the latest version

Signed-off-by: user.email <jf@dagger.io>

											
										
										
											2022-04-13 15:58:51 +02:00
+								displayed_sidebar: '0.2'
-												Add the must-have pages for the Europa release

The goal is to capture the shape of the new docs. It is not meant to be
final, but it should be as close as possible. We only want the bare
minimum for new users that on-board with Dagger Europa. As soon as the
new europaSidebar replaces replaces the existing one, the previous docs
will still remain available - doc IDs are unique and permanent. We will
do this by simply changing the default `slug: /` to point to the Europa
Docs entrypoint, which is doc 1200.

Helpful Docusaurus link re multiple sidebars:
https://docusaurus.io/docs/sidebar/multiple-sidebars

The new pages are numbered from `1200` onwards. This is meant to reflect
the `0.2.0` Dagger version. This numbering felt more meaningful than
just continuing to increment existing numbers.

I didn't want to be "wasteful" with the digits and start at `2000`, but
that was my first instinct.

I am keen on getting this live on https://docs.dagger.io/1200/local-ci.
Anything that is not in production, is inventory. Inventory is bad.

The goal is to allow anyone that has a link to get a feel for the new
docs as soon as possible, so that we can all see how they improve in
real-time, and steer them continuously towards the desired state. We
should be aware of the timeline, and not muck about, but instead
evaluate constantly how close are we to "flipping the switch".

Remember, the best releases are those where switches are flipped (e.g.
`--europa)`. The feature will have been out there for weeks (maybe even
months), improved by talking to users and then one day realising that we
are done, and just enabling it by default. It's the same principle
behind these docs.

Signed-off-by: Gerhard Lazu <gerhard@lazu.co.uk>

											
										
										
											2022-02-07 23:16:01 +01:00
+								---
 								# How to use secrets
-												Add new Client API

Signed-off-by: Helder Correia <174525+helderco@users.noreply.github.com>

											
										
										
											2022-03-07 14:12:39 +01:00
 								Most operations in `client` support handling secrets (see [Interacting with the client](./1203-client.md)). More specifically, you can:
 								- Write a secret to a file;
 								- Read a secret from a file;
 								- Read a secret from an environment variable;
 								- Read a secret from the output of a command;
 								- Use a secret as the input of a command.
-												Fix typo

Signed-off-by: Jeremy Adams <jeremy.adams.pdx@gmail.com>

											
										
										
											2022-03-16 00:52:28 +01:00
+								## Environment
-												Add new Client API

Signed-off-by: Helder Correia <174525+helderco@users.noreply.github.com>

											
										
										
											2022-03-07 14:12:39 +01:00
 								The simplest use case is reading from an environment variable:
 								```cue
 								dagger.#Plan & {
 								    client: env: GITHUB_TOKEN: dagger.#Secret
 								}
 								```
 								## File
 								You may need to trim the whitespace, especially when reading from a file:
-												Move snippets outside of markdown

Signed-off-by: Helder Correia <174525+helderco@users.noreply.github.com>

											
										
										
											2022-03-10 13:50:21 +01:00
+								```cue file=../tests/core-concepts/secrets/plans/file.cue
-												website: hardcode version banner for 0.1 docs

O.1 docs is deprecated. Let's inform user to switch the the latest version

Signed-off-by: user.email <jf@dagger.io>

											
										
										
											2022-04-13 15:58:51 +02:00
-												Add new Client API

Signed-off-by: Helder Correia <174525+helderco@users.noreply.github.com>

											
										
										
											2022-03-07 14:12:39 +01:00
+								```
 								## SOPS
 								There’s many ways to store encrypted secrets in your git repository. If you use [SOPS](https://github.com/mozilla/sops), here's a simple example where you can access keys from an encrypted yaml file:
 								```yaml title="secrets.yaml"
 								myToken: ENC[AES256_GCM,data:AlUz7g==,iv:lq3mHi4GDLfAssqhPcuUIHMm5eVzJ/EpM+q7RHGCROU=,tag:dzbT5dEGhMnHbiRTu4bHdg==,type:str]
-												website: hardcode version banner for 0.1 docs

O.1 docs is deprecated. Let's inform user to switch the the latest version

Signed-off-by: user.email <jf@dagger.io>

											
										
										
											2022-04-13 15:58:51 +02:00
+								sops: ...
-												Add new Client API

Signed-off-by: Helder Correia <174525+helderco@users.noreply.github.com>

											
										
										
											2022-03-07 14:12:39 +01:00
+								```
-												Move snippets outside of markdown

Signed-off-by: Helder Correia <174525+helderco@users.noreply.github.com>

											
										
										
											2022-03-10 13:50:21 +01:00
+								```cue file=../tests/core-concepts/secrets/plans/sops.cue title="main.cue"
-												website: hardcode version banner for 0.1 docs

O.1 docs is deprecated. Let's inform user to switch the the latest version

Signed-off-by: user.email <jf@dagger.io>

											
										
										
											2022-04-13 15:58:51 +02:00
-												Add new Client API

Signed-off-by: Helder Correia <174525+helderco@users.noreply.github.com>

											
										
										
											2022-03-07 14:12:39 +01:00
+								```