Feature Engine
Manage secrets and environment variables for your Chalk deployments.
Chalk lets you inject secrets and environment variables into the runtime for your resolvers and services. The two serve different purposes:
Both are injected into the runtime and read the same way in your resolver or in a setup hook:
import os
value = os.getenv("MY_VARIABLE")Use a secret for any value you would not want to check into source control — SASL
passwords, AWS/GCP keys, third-party API tokens, database connection strings, or SSL
material. Secrets are stored in your cloud secret manager and injected into your
deployment containers, where they are available to resolvers via os.getenv.
Under Integrations > Secrets, you can view, add, edit, and delete secrets. When
creating or editing a secret, provide the name and value and select the environments it
should apply to. This is the recommended way to set a secret whose value you do not want
to type on the command line.
The chalk secret command lets you upsert, inspect, and
delete secrets.
chalk secret set upserts one or more secrets. There are three ways to provide values:
# Interactive mode
$ chalk secret set
# From stdin
$ cat key.pem | chalk secret set TLS_CERT
$ base64 -i chalk.p12 | chalk secret set PKCS12_CERT
# Key-value pairs
$ chalk secret set MY_SECRET_KEY=s3cr3t
$ chalk secret set MY_OTHER_SECRET_KEY=5ecret PORT=9000# List the secrets available in this environment
$ chalk secret list
# Get a single secret by name
$ chalk secret get --name CHALK_KAFKA_SASL_USERNAME
# Delete one or more secrets
$ chalk secret delete --name CHALK_KAFKA_SASL_PASSWORDChanging a secret is the same operation as creating one — re-run chalk secret set (or
edit it on the Secrets page) with the new value.
Use environment variables for non-sensitive configuration and special values that adjust how your services behave — feature flags, tuning knobs, and other runtime configuration. They can be applied at two scopes, plus the CLI.
Environment variables are intended for environment and service configuration. Any value you need to read from your resolvers — and especially anything sensitive — should be set as a Secret instead.
Under Integrations > Config variables, you can view and edit the global
environment variables for your environment. Values set here apply across the whole
environment and map to the environment’s additional_env_vars.
To scope an environment variable to a specific service (for example, only the
engine-grpc or streaming server in a particular resource group),
set it on the Resource page for that service. These values apply only to the targeted service
rather than the whole environment.
You can read more about programmatic management of chalk environment variables under Programmatic Management
Chalk also provides a few environment variables that you can use in your resolvers.
| Name | Description |
|---|---|
TARGET_ROOT | The root directory of the application. This variable is set for both branch and standard deployments. |
CHALK_DEPLOYMENT_ID | The ID of the deployment |
CHALK_TEAM_ID | The ID of the team |
CHALK_PROJECT_ID | The ID of the project |
CHALK_ACTIVE_ENVIRONMENT | The id of the active environment (e.g. "9d0oj902") |
CHALK_ENVIRONMENT_NAME | The name of the active environment (e.g. "prod") |