Managing Secrets

Terraform runners require credentials to authenticate with your cloud providers. For example, deploying AWS resources requires an AWS_ACCESS_KEY_ID and an AWS_SECRET_ACCESS_KEY.

Security is a primary feature of DeployClear, not an afterthought. You should never hardcode credentials in your .tf files. Instead, use DeployClear's built-in Secret management.

How Secrets Work

When you create a secret in DeployClear:

1. It is immediately encrypted at rest using AES-256-GCM.
2. The raw value is never returned to the dashboard UI.
3. When a Deployment Request runs, the ephemeral Cloudflare Container worker fetches the encrypted secret, decrypts it in-memory, and injects it as an environment variable into the Terraform process (TF_VAR_... or directly).
4. After the container spins down, the decrypted value is destroyed.

Adding a Secret

Because Secrets belong to a Team, you must be at least a DevOps engineer on that specific Team to manage them.

1. Navigate to the Secrets page using the left sidebar.
2. Click Create Secret.
3. Provide a Name (e.g., AWS_ACCESS_KEY_ID). This is the exact casing the environment variable will take.
4. Provide the raw string Value.
5. Click Save.

Provider Credentials vs. Terraform Variables

DeployClear injects all secrets into the process environment automatically.

• Provider Credentials: Standard provider variables like AWS_ACCESS_KEY_ID or ARM_CLIENT_ID are automatically picked up by the respective Terraform providers because they are present in the environment block.
• Terraform Variables: If your configuration exposes a variable variable "db_password" {}, you must name your secret TF_VAR_db_password so Terraform automatically binds the value.

Vault Integration

For Enterprise deployments, maintaining duplicate secrets inside DeployClear is an anti-pattern. DeployClear integrates seamlessly with your existing HashiCorp Vault.

1. First, an Organization Owner must configure the Vault Integration under the global /integrations page.
2. Then, inside your Team's /secrets page, click Create Secret.
3. Instead of providing the Raw Value, flip the toggle to Vault Backed.
4. Provide the Vault Mount Path and Key.
5. DeployClear will now fetch the secret from your Vault dynamically at runtime just before the ephemeral runner spins up.

Next: Understanding Execution Jobs →