DigitalOcean

Question

How to hide environment variables in spec yaml file

I am using a spec file beneath to deploy my app. There are a few environment variables such as database password and s3 access keys. I have no problem with the database credentials as they can be set dynamically in the same file from the db service. However, I cannot find a good way to set the s3 credentials. I cannot simply put the access key and secret access key in the file as I need to commit it to our git repo. So at this stage I have to deploy using this file once and go to the project page and manually set the s3 credentials myself. Is there a more convenient way? Can I set the environment variable with doctl apps create --spec spec.yaml command? Thanks

#! spec.yaml

name: my_app
region: sgp1
services:
  - name: backend
    dockerfile_path: Dockerfile
    source_dir: .
    health_check:
      http_path: /health_check
    http_port: 3003
    instance_count: 1
    instance_size_slug: basic-xxs
    routes:
      - path: /
    github:
      branch: master
      deploy_on_push: true
      repo: my_repo
    envs:
      - key: APP_DATABASE__USERNAME
        scope: RUN_TIME
        value: ${db.USERNAME}
      - key: APP_DATABASE__PASSWORD
        scope: RUN_TIME
        value: ${db.PASSWORD}
      - key: APP_DATABASE__HOST
        scope: RUN_TIME
        value: ${db.HOSTNAME}
      - key: APP_DATABASE__PORT
        scope: RUN_TIME
        value: ${db.PORT}
      - key: APP_DATABASE__DATABASE_NAME
        scope: RUN_TIME
        value: ${db.DATABASE}
      - key: APP_S3__ENDPOINT
        scope: RUN_TIME
        value: "???"
      - key: APP_S3__ACCESS_KEY_ID
        scope: RUN_TIME
        value: "???"
      - key: APP_S3__SECRET_ACCESS_KEY
        scope: RUN_TIME
        value: "???"
databases:
  - engine: PG
    name: db
    version: "16"
    production: true
    cluster_name: main-postgresql
    db_name: defaultdb
    db_user: doadmin
Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Bobby Iliev
Site Moderator
Site Moderator badge
April 20, 2025

Hey!

I think the only way right now is to manually set the S3 credentials in the App Platform dashboard after the first deploy, just like you’re doing.

From what I’ve seen, doctl apps create --spec doesn’t support injecting sensitive env vars dynamically unless they’re coming from a linked service like a database.

That said, you could reach out to DigitalOcean support to double-check if there’s a better option or something newer that might help: https://do.co/support.

Would definitely be nice if doctl allowed passing secrets securely without putting them in the spec file.

- Bobby

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.