Secrets
Patrol never stores raw secret values in template or environment configuration — only a reference to where the value actually lives. Secrets are resolved at deploy and scan time, scoped to your tenant.
Storing secrets
Section titled “Storing secrets”From Settings → Secrets, store encrypted credentials (API keys, deploy tokens, cloud credentials) once, then reference them by name from:
- A template’s deployment config (e.g. a webhook URL or API token)
- A template’s parameter schema (e.g. a database password parameter)
Reference types
Section titled “Reference types”A secret value is stored as a { manager, ref } reference rather than the value itself:
- Environment variables — a name resolved from the worker process’s environment
- Vault paths — a path into HashiCorp Vault
- AWS / GCP secret manager references — a secret name or ARN resolved from the cloud provider’s secret manager
Resolution
Section titled “Resolution”References are resolved just-in-time by the deployment and scanning workers — never persisted in plain text. This means:
- Template and environment records are safe to view, export, or snapshot without exposing credentials
- Rotating a secret’s underlying value (in Vault, AWS Secrets Manager, etc.) doesn’t require any changes in Patrol — the reference stays the same