Chalk lets you inject secrets and environment variables into the runtime for your resolvers and services. The two serve different purposes:

  • Secrets are for sensitive values — passwords, API keys, tokens, connection strings, certificates. They are stored encrypted using a Key Management Service and backed by your cloud secret manager, and are never committed to your repository.
  • Environment variables are for non-sensitive configuration and special values used to tune the behavior of your deployments and services.

Both are injected into the runtime and read the same way in your resolver or in a setup hook:

import os

value = os.getenv("MY_VARIABLE")

Secrets

Use a secret for any value you would not want to check into source control — SASL passwords, AWS/GCP keys, third-party API tokens, database connection strings, or SSL material. Secrets are stored in your cloud secret manager and injected into your deployment containers, where they are available to resolvers via os.getenv.

Managing secrets in the dashboard

Under Integrations > Secrets, you can view, add, edit, and delete secrets. When creating or editing a secret, provide the name and value and select the environments it should apply to. This is the recommended way to set a secret whose value you do not want to type on the command line.

Managing secrets with the CLI

The chalk secret command lets you upsert, inspect, and delete secrets.

Setting a secret

chalk secret set upserts one or more secrets. There are three ways to provide values:

# Interactive mode
$ chalk secret set

# From stdin
$ cat key.pem | chalk secret set TLS_CERT
$ base64 -i chalk.p12 | chalk secret set PKCS12_CERT

# Key-value pairs
$ chalk secret set MY_SECRET_KEY=s3cr3t
$ chalk secret set MY_OTHER_SECRET_KEY=5ecret PORT=9000

Inspecting and deleting secrets

# List the secrets available in this environment
$ chalk secret list

# Get a single secret by name
$ chalk secret get --name CHALK_KAFKA_SASL_USERNAME

# Delete one or more secrets
$ chalk secret delete --name CHALK_KAFKA_SASL_PASSWORD

Changing a secret is the same operation as creating one — re-run chalk secret set (or edit it on the Secrets page) with the new value.


Environment variables

Use environment variables for non-sensitive configuration and special values that adjust how your services behave — feature flags, tuning knobs, and other runtime configuration. They can be applied at two scopes, plus the CLI.

Environment variables are intended for environment and service configuration. Any value you need to read from your resolvers — and especially anything sensitive — should be set as a Secret instead.

Environment-wide (Config variables page)

Under Integrations > Config variables, you can view and edit the global environment variables for your environment. Values set here apply across the whole environment and map to the environment’s additional_env_vars.

Per-service (Resource page)

To scope an environment variable to a specific service (for example, only the engine-grpc or streaming server in a particular resource group), set it on the Resource page for that service. These values apply only to the targeted service rather than the whole environment.

With the CLI

You can read more about programmatic management of chalk environment variables under Programmatic Management


Chalk environment variables

Chalk also provides a few environment variables that you can use in your resolvers.

NameDescription
TARGET_ROOTThe root directory of the application. This variable is set for both branch and standard deployments.
CHALK_DEPLOYMENT_IDThe ID of the deployment
CHALK_TEAM_IDThe ID of the team
CHALK_PROJECT_IDThe ID of the project
CHALK_ACTIVE_ENVIRONMENTThe id of the active environment (e.g. "9d0oj902")
CHALK_ENVIRONMENT_NAMEThe name of the active environment (e.g. "prod")