Using secret versions

Now that we have learned to read and write secrets, it is a good time to learn something about secret versions. Secret versions protect us from accidentally overwriting a secret and can come in very handy when doing rolling updates of our infrastructure.

Alright, let’s write once more to the secret we used before:

secrethub write $SH_USERNAME/testing/hello

Notice that :2 (or a higher number if we have written to the secret more than twice) is appended to the path that is returned by the client. This number at the end of the path indicates the version number that has just been written.

We can access any version of a secret by appending :<version> to the path. The latest version can be retrieved by appending :latest or by leaving the version out altogether.

secrethub read $SH_USERNAME/testing/hello:latest

To access the first version of the secret, we can append :1:

secrethub read $SH_USERNAME/testing/hello:1

Now that we’ve gotten the hang of using secret versions, let’s see how processes can read secrets as code.