Secrets Management

What are secrets?

Montag provides a secret store of key/value pairs which are encrypted at rest and are only decrypted when they are used or accessed by an authorised user.

Why do I need secrets?

Secrets are used to provide access to external services, such as databases, APIs, and other services. In the case of Montag, you will likely store your API Keys and any additional credentials (for example for use in scripts that you are collaborating on with others).

How do I create secrets?

There is a dedicated section in the organisation component of the Montag UI for managing secrets. Add your Secrets using the UI, they will be automatically encrypted and decrypted when you access them in the UI.

How do I use secrets elsewhere?

Various fields, specifically any credential field (such as API Client Keys, Pinecone DB keys, Slack keys etc.) are evaluated at runtime and can take on a special format to indicate that they are a secret.

The format is: $SECRET/<secret name> where <secret name> is the name of the secret you created in the UI.

How do I access secrets in scripts?

Secrets are available in the montagSecrets variable in your scripts. You can find full documentation in the Scripting Reference.

Can I use an external secret store like vault?

There is no direct integration with vault, however secrets can also be stored in the form of environment variables. Heere you do not need to use the secrets UI at all, and instead can directly reference the environment variables from the evaluated fields.

The format for evaluating an environemtn variable as a secret instead of the encrypted version is $ENV/<env var name>