Skip to main content

Best practices on Saving secrets as Environment Variables

Secrets

Ossi Galkin avatar
Written by Ossi Galkin
Updated over a year ago

Saving secrets as Environment Variables

The first thing to note before going to the log settings themselves is that you should always save all credentials to secret Environment Variables. If you save credentials as secret Environment Variables, not matter what log settings a Process or an Element is using, the credentials won't be logged. This way you won't accidentally log any credentials in any Processes or Subprocesses.

When talking about calling a Subprocess, it should also be noted that if you need to pass secret parameters to a Subprocess, such as passwords or connection strings, you should always remember to set them as secret parameters. Even if you have set an Environment Variable as a secret variable, but you forget to mark the parameter as a secret parameter, the variable won't be logged in the calling Process, it will be logged in the Subprocess. This happens because the original Environment Variable is not used in the Subprocess, but the value is copied to the Subprocess.

A better way would be to use the Environment Variable in the Subprocess instead of passing the value as a parameter, but this is not always an option, if you need to use different credentials depending on the Process that is calling the Subprocess.

Did this answer your question?