> ## Documentation Index
> Fetch the complete documentation index at: https://www.qovery.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Secure

> Learn how to secure your infrastructure and applications with Qovery

Qovery Secure provides essential security features to protect your applications and data, including role-based access control, secrets management, and audit logging.

## Key Security Features

<CardGroup cols={2}>
  <Card title="RBAC" icon="user-lock">
    Control who can access and modify your resources
  </Card>

  <Card title="Secrets Management" icon="key">
    Securely store and inject sensitive data
  </Card>

  <Card title="Doppler Integration" icon="database">
    Universal secrets manager integration
  </Card>

  <Card title="Audit Logs" icon="list-check">
    Track all changes to your organization
  </Card>
</CardGroup>

***

## Role-Based Access Control (RBAC)

Qovery implements a role-based access control system to manage member permissions across your organization, clusters, projects, and environments.

### Default Roles

Qovery provides 5 default roles with predefined permissions:

| Action                                            | Owner | Admin | DevOps | Billing Manager | Viewer |
| ------------------------------------------------- | ----- | ----- | ------ | --------------- | ------ |
| Read organization                                 | yes   | yes   | yes    | yes             | yes    |
| Edit organization                                 | yes   | yes   | no     | no              | no     |
| Delete organization                               | yes   | no    | no     | no              | no     |
| Manage billing                                    | yes   | yes   | no     | yes             | no     |
| Manage members & roles                            | yes   | yes   | no     | no              | no     |
| Manage cluster & container registry               | yes   | yes   | yes    | no              | no     |
| Manage organization setup                         | yes   | yes   | yes    | no              | no     |
| Read ANY project                                  | yes   | yes   | yes    | no              | yes    |
| Edit/Delete ANY project                           | yes   | yes   | no     | no              | no     |
| Create project                                    | yes   | yes   | no     | no              | no     |
| Read ANY environment                              | yes   | yes   | yes    | no              | yes    |
| Edit/Delete ANY environment or service            | yes   | yes   | no     | no              | no     |
| Create environment or service                     | yes   | yes   | no     | no              | no     |
| Add/Edit/Delete environment variables and secrets | yes   | yes   | yes    | no              | no     |
| Deploy/Stop ANY environment or service            | yes   | yes   | yes    | no              | no     |
| Connect via shell to ANY application              | yes   | yes   | yes    | no              | no     |
| View audit logs                                   | yes   | yes   | no     | no              | no     |
| Manage API tokens                                 | yes   | yes   | no     | no              | no     |

<Note>
  Only one Owner per organization is allowed.
</Note>

### Custom Roles

Create tailored roles when default options are insufficient.

**Cluster-Level Access**:

* **Read-Only**: View cluster information
* **Create Environment**: Deploy new environments on specific clusters
* **Full Access**: Manage cluster settings and create environments

**Project-Level Access** (by environment type):

* **No Access**: Cannot see the project
* **Read-Only**: View without modification
* **Deploy**: Handle deployments and logs, manage variables
* **Manage**: Modify deployments and environment structure
* **Full Access**: Complete project administration

<Note>
  Users with custom roles cannot create clusters or manage organization-wide settings like webhooks or API tokens.
</Note>

<Warning>
  Members need to logout/login to activate role changes, or changes take effect within one hour maximum.
</Warning>

**Configure RBAC**:

1. Go to **Organization Settings** → **Members**
2. Click **Invite Member** or edit existing member
3. Select role (default or custom)
4. Configure project/environment access if using custom role
5. Send invitation

***

## Secrets Management

Qovery provides secure environment variable and secrets management for your applications.

### Variable Types

**Classic Variables**: Standard key-value pairs accessible at build time and runtime.

**Secrets**: Encrypted variables with values inaccessible through API or UI. Values are only available to applications during execution.

**File-Based Variables**: Variables stored as files at a specified path. Your application accesses the file location via the variable name.

### Variable Scopes

Variables operate at three hierarchical levels:

1. **Project**: Shared across all environments and applications within the project
2. **Environment**: Shared across all applications within one environment
3. **Application**: Available to a single application only

### Built-in Variables

Qovery automatically generates variables following the pattern `QOVERY_<SERVICE_TYPE>_<SERVICE_ID>_<SPEC>`, enabling easy service interconnection.

Examples:

```bash theme={null}
# Database connection
QOVERY_DATABASE_MY_POSTGRES_HOST
QOVERY_DATABASE_MY_POSTGRES_PORT
QOVERY_DATABASE_MY_POSTGRES_USERNAME
QOVERY_DATABASE_MY_POSTGRES_PASSWORD
QOVERY_DATABASE_MY_POSTGRES_DATABASE

# Application URL
QOVERY_APPLICATION_MY_API_URL
```

### Creating Secrets

<Tabs>
  <Tab title="Console">
    1. Navigate to your **Application** → **Variables**
    2. Click **Add Variable**
    3. Enter variable key
    4. Select **Secret** type
    5. Enter secret value
    6. Choose scope (Application, Environment, or Project)
    7. Click **Save**

    <Note>
      Secret values are encrypted and cannot be viewed after creation. Only the first and last 3 characters are shown.
    </Note>
  </Tab>

  <Tab title="Terraform">
    ```hcl theme={null}
    resource "qovery_application" "my_app" {
      name           = "my-app"
      environment_id = qovery_environment.production.id

      secrets = [
        {
          key   = "DATABASE_PASSWORD"
          value = var.database_password
        },
        {
          key   = "API_KEY"
          value = var.api_key
        }
      ]
    }
    ```
  </Tab>
</Tabs>

***

## Doppler Integration

Doppler is a universal secrets manager that integrates with Qovery, allowing you to store and manage your application secrets in a single place and access them from anywhere.

### What is Doppler?

Doppler provides:

* Centralized secrets management
* Team collaboration on secrets
* Secret versioning and rollback
* Automatic secret rotation
* Compliance and audit trails

### Setup Doppler Integration

To integrate Qovery with Doppler, follow the official Doppler documentation:

<Card title="Doppler Integration Guide" icon="book" href="https://docs.doppler.com/docs/qovery">
  Complete setup instructions for connecting Qovery with Doppler
</Card>

### Benefits

* **Centralized Management**: Manage all secrets in one place
* **Team Collaboration**: Share secrets securely with team members
* **Automatic Sync**: Secrets automatically sync to Qovery
* **Audit Trail**: Track who accessed and modified secrets
* **Secret Rotation**: Easily rotate secrets across all environments

***

## Audit Logs

Qovery's audit logs enable organizations to track all actions and changes within their system.

### What Gets Tracked

Qovery monitors all API calls for your organization, including:

* Application deployments
* Configuration changes
* Environment modifications
* Cluster updates
* User management actions
* RBAC changes
* Secret modifications
* API token usage

### Event Details

Each logged event includes:

* **Timestamp**: When the action occurred
* **Event Type**: CREATE, UPDATE, DELETE, TRIGGER\_DEPLOYMENT, etc.
* **Target Type**: Environment, Cluster, Role, Application, Database, etc.
* **Target**: The specific object modified
* **Change**: High-level description of what was modified
* **User**: Who made the change (or API token name if via API)
* **Tool**: How the change was made (Console, Terraform, CLI, Git push)

### Accessing Audit Logs

1. Navigate to **Organization Settings**
2. Click **Audit Logs** in the left sidebar
3. View the list of all events
4. Use filters to narrow down results:
   * Time range
   * Target type
   * Target name
   * Event type
5. Click on an event to see full details including JSON response

### Use Cases

* **Security Monitoring**: Track unauthorized access attempts
* **Compliance**: Maintain records for audits (SOC 2, GDPR, etc.)
* **Troubleshooting**: Identify what changed before an incident
* **Team Accountability**: Track who made specific changes
* **Change Management**: Review all infrastructure modifications

### Retention

Audit logs retention period depends on your [Qovery plan](https://www.qovery.com/pricing). Export logs regularly if you need longer retention for compliance purposes.

***

## Best Practices

<CardGroup cols={2}>
  <Card title="Principle of Least Privilege" icon="user-lock">
    Grant minimum required permissions to users and services
  </Card>

  <Card title="Use Secrets for Sensitive Data" icon="key">
    Never use plain variables for passwords, API keys, or tokens
  </Card>

  <Card title="Rotate Secrets Regularly" icon="arrows-rotate">
    Change credentials and API keys quarterly or after team changes
  </Card>

  <Card title="Review Access Quarterly" icon="user-check">
    Audit user permissions and remove inactive users
  </Card>

  <Card title="Monitor Audit Logs" icon="bell">
    Regularly review audit logs for suspicious activities
  </Card>

  <Card title="Use Custom Roles" icon="users-gear">
    Create project-specific roles for better access control
  </Card>
</CardGroup>

***

## Next Steps

<CardGroup cols={2}>
  <Card title="Configuration Reference" icon="gear" href="/configuration/organization">
    Learn more about organization configuration
  </Card>

  <Card title="Environment Variables" icon="code" href="/configuration/environment-variables">
    Complete guide to environment variables
  </Card>

  <Card title="Doppler Documentation" icon="book" href="https://docs.doppler.com/docs/qovery">
    Setup Doppler integration
  </Card>

  <Card title="Observe Your Apps" icon="chart-line" href="/getting-started/guides/qovery-101/observe">
    Monitor security events and logs
  </Card>
</CardGroup>