This feature is available on:
- AWS Managed Cluster
- GCP Managed Cluster
- AWS Secrets Manager
- AWS Parameter Store
- GCP Secret Manager
How it works
Qovery integrates with external secrets by deploying ESO (External Secrets Operator) in your cluster.Configure a Secret Manager Access
You can configure a Secret Manager Access in the Add-ons section of your cluster.
AWS Secrets Manager
Connect to AWS Secrets Manager from an AWS or GCP cluster
AWS Parameter Store
Connect to AWS Parameter Store from an AWS or GCP cluster
GCP Secret Manager
Connect to GCP Secret Manager from a GCP or AWS cluster
Reference the external secrets in your service
Once your cluster is deployed, you can link external secrets to any service:- Open your service
- Navigate to the Variables tab
- Select the External secrets tab
- Click Add external secret
- Select the Secret Manager Access
- Select the secret from your Secret Manager
- Provide the environment variable key to inject
Using external secrets with Terraform services
Terraform services handle environment variables differently from other service types. Unlike application services where any environment variable is directly injected into the container, Terraform services expose variables through the Terraform variable system (TF_VAR_*). This means external secrets require a specific naming convention to be picked up correctly by Terraform at runtime.
External secrets are supported only in the “External Secrets” tab:
- You can’t reference an external secret inside the “Terraform variables” section
- You can’t reference an external secret inside the “Terraform arguments” section
- The key of your external secrets must follow the pattern
TF_VAR_${your_variable} - You must not have an override of
your_variableinside the “Terraform variables” from anyfile.tfvars
