DigitalOcean

Report this

What is the reason for this report?
Question

Error with doctl: secret env value must not be encrypted before app is created

Posted on December 26, 2021
Security
DigitalOcean API and CLI (doctl)
Jem

By Jem

I am receiving the following error when doing a subsequent deployment through doctl:

errors validating app spec; first error in field "envs.0.value": secret env value must not be encrypted before app is created

This is the command: doctl apps create --upsert --spec app-spec.yml --wait --verbose Version: 1.68.0

Here is the relevant section of the app-spec.yml file:

    envs:
      - key: DISCORD_BOT_TOKEN
        scope: RUN_AND_BUILD_TIME
        type: SECRET
        value: <REDACTED>

I have tried multiple approaches (wondering if I did something wrong), and I am getting the error no matter what.

Approach 1:

  • Deploy app and components using doctl
  • Define app-level and component-level environment variables (encrypted)
  • Download app-spec.yml from the app settings and paste into local file
  • Deploy again -> error

Approach 2:

  • Deploy app and components using doctl. Secrets are unencrypted in the app-spec.yml
  • Download app-spec.yml from the app settings and paste into local file
  • Deploy again -> error

I have read the documentation and community questions, and it seems that I am doing this correctly. e.g. https://www.digitalocean.com/community/questions/how-to-use-environment-values-of-type-secret-on-following-submissions

As you make updates to your app spec, if you don’t intend to change those encrypted values, then you should just submit with the in-place encrypted values unchanged.

What is the correct approach to this? If there is an issue with the DOAP, is there a temporary workaround?



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Jem
Jem
December 27, 2021

This comment has been deleted

0
Bobby
Bobby
March 10, 2024

Hey!

The error you’re encountering with doctl when deploying an app and using secret environment variables seems to come from how doctl handles the encryption of secret values. The error message “secret env value must not be encrypted before app is created” indicates that the secret value should not be pre-encrypted in your app-spec.yml file when creating or upserting an app.

When you first create an app with a secret environment variable, you should provide the plain text value in the app-spec.yml file. DigitalOcean’s App Platform will then encrypt this value for you. When you subsequently update or upsert the app and don’t intend to change the secret, you should use the encrypted value that the platform provides, not the original plain text.

Here’s how you can handle this:

  1. Initial Deployment:

    • When you first deploy your app, include the secret in plain text in your app-spec.yml.
    • After the app is created, DigitalOcean encrypts the secret value.

  2. Subsequent Updates:

    • When updating the app, if you download the app-spec.yml from the DigitalOcean control panel, the secret values will be encrypted. You should use these encrypted values directly without modification.
    • If you are maintaining your app-spec.yml file manually, replace the plain text secret value with the encrypted one provided by DigitalOcean for subsequent updates or upserts.

  3. Using doctl apps update vs doctl apps create --upsert:

    • As you discovered, using doctl apps update seems to work because it’s designed to update existing resources, where the platform expects encrypted secrets.
    • The --upsert flag with doctl apps create should theoretically handle both creation and updating seamlessly. However, if it’s causing issues with secrets, it might be a bug or a limitation in how doctl processes the app-spec.yml file. In this case, using doctl apps update for updates after the initial creation is a valid workaround.

If you believe this is a bug with doctl, consider reporting an issues related to this in the doctl GitHub repository:

https://github.com/digitalocean/doctl/issues

Best,

Bobby

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2026 DigitalOcean, LLC.Sitemap.