CircleCI icon

Secrets Management
For CircleCI

No more copy-pasting sensitive values into a GUI. Securely load secrets into CircleCI and sync them automatically.

Your CI/CD Pipeline Deserves Good Secrets Management

Every platform that needs secrets introduces "Yet Another Secret Store" that needs to be kept in sync. Nobody likes jobs failing due to missing or outdated secrets. There has to be a better way.

The Solution

Replace secret environment variables with reference tags

Gather all secrets from your CircleCI environment variables and use the SecretHub CLI to safely store them in a centralized location.


Simply add secrethub:// reference tags to your job in either your .circleci/config.yml file or in CircleCI Contexts to automatically load secrets at runtime:

SecretHub providing secrets to CircleCI and other tools like Kubernetes, Docker, and AWS

A single source of truth for your secrets

With your secrets centralized you know that when a value is updated, CircleCI and all other tools will have it on the next run.

  • No more manually syncing the CircleCI Environment Variables GUI
  • No hidden pipeline dependencies: secrets are explicitly declared in the same file as the job that needs it
  • No more evaluations of each tool's own secret store
Happy developer

Develop and maintain pipelines without breaking them

Secrets shouldn't get in the way when you're developing pipelines. Leverage the powerful reference syntax for cleaner, more predictable, and reproducible CircleCI pipelines:

Pin secret versions
  • secrethub://company/app/docker/password:latest
  • secrethub://company/app/docker/password:2
Switch secrets between environments
  • secrethub://company/app/prod/aws/secret_access_key
  • secrethub://company/app/staging/aws/secret_access_key
Run jobs locally too

The missing piece to achieving dev/prod parity when running CircleCI jobs locally as loading secrets now works in the same way no matter where you're running.

CircleCI log UI with AWS_SECRET_ACCESS_KEY value masked

Prevent accidents and leaks

Mistakes are easily made. Keep your peace of mind and ensure your CircleCI logs won't give away the keys to the kingdom.

  • All secret values are automatically masked from log output
  • Secrets are end-to-end encrypted and plaintext values only exist in memory during the lifetime of a job
  • Scope secrets to a single command or job, instead of the entire CircleCI config
Audit log of a CircleCI job loading a Docker password

Control & monitor when CircleCI reads secrets

Every time your CircleCI job starts, secret reads gets recorded on the audit log. Restrict access to only the secrets it needs and know that you can revoke access with a single command.

Be up and running in no time

Follow the step-by-step guide and you'll be loading secrets into CircleCI today.

secrethub/cli@1.0.1 CircleCI Partner Badge

Get Started CircleCI icon View In Registry

Unify secrets management
across all software delivery phases

You don't have to reinvent the wheel for every platform that needs to consume secrets. Use a single tool to keep secrets safe and in sync across your entire stack.