🔐 Proposal: Built-in Secrets Support in Coder #17965

matifali · 2025-05-21T07:51:15Z

matifali
May 21, 2025
Maintainer

💥 Problem

Developers often store sensitive information, such as API keys and tokens, insecurely, using plaintext files or chat communications. This practice leads to poor control, lack of visibility, and no audit trail.

Additionally, as noted in Issue #7087, there is a need for a user-level secrets management system. While third-party solutions like HashiCorp Vault and AWS Secrets Manager offer powerful features, they can be complex due to the management of authentication. A native solution in Coder could simplify this process, balancing security and usability.

✅ Solution

Coder will support built-in secrets with 3 scopes:

Account – personal secrets per user
Template – shared with all workspaces from a template
Organization – shared org-wide across all workspaces

Secrets can be:

Set via CLI/API (coder secret set)
Injected as environment variables AND/OR accessed at runtime via coder secret get
Audited for reads/updates/deletes

🔧 CLI Examples

# Set a secret from the prompt
$ coder secret set MY_API_KEY

# Use in script
$ export OPENAI_KEY=$(coder secret get MY_API_KEY)

# List secrets
$ coder secret list

NAME              UPDATED
MY_API_KEY        2 days ago
VERCEL_TOKEN      10 days ago

🖥️ UI Sneak Peek

Secrets will also be configurable via the web UI (Account, Template, Org):

🔍 Auditing (Premium)

All secret usage (set, get, inject) will be logged with:

User, Workspace, Timestamp, Secret Name

Example:

atif accessed SECRET_C in dev workspace at 09:00 UTC

💬 Feedback Wanted

Would automatic secret injection help your workflows, or would you prefer coder secret get and script it out?
Do you currently use Codespaces/Gitpod secrets—how’s that experience?
What would your preference be for overwriting secrets when a user, a template, and an organization have a secret with the same name? The current proposal is to follow the preference in order User > Template > Org.

Let us know what you think!

mthemis-provenir · 2025-05-21T12:18:36Z

mthemis-provenir
May 21, 2025

It's not mentioned here, but the addition of a password field type to the coder_parameter block would also be very useful. In this instance, when a user creates a workspace, they could define a password inline (for example, a VNC password). This would be a seamless method for users to set a password and it could be automatically stored to their personal secret storage.

In our use case, our users don't use the coder CLI, and having to define a password separately before creating a workspace seems a little "clumsy".

Otherwise, these changes are definitely a move in the right direction.

1 reply

matifali May 21, 2025
Maintainer Author

Thanks for the input. I like the idea of coder_parameter. Perhaps we can merge this with what @ggjulio said below, allowing a template admin to set recommended secrets that the user must set before create a workspace.

ggjulio · 2025-05-21T16:48:25Z

ggjulio
May 21, 2025

Nice.
Is there any plans for also supporting for devcontainer secrets as a derived of this rfc ?

// devcontainer.json
// [...]
"secrets": {
  "JF_TOKEN": {
    "description": "Jfrog artifactory token used by the post-start script.",
    "documentationUrl": "..."
  },
    "FOO_API_SECRET": {
    "description": "The required api key to target service foo..." 
    "documentationUrl": "..."
  }
}

2 replies

matifali May 21, 2025
Maintainer Author

I will try how this works. As far as I know, this is a GitHub CodeSpaces-specific syntax to recommend a user to set these secrets.

ggjulio May 21, 2025

Nice!
It's been added to the spec because of codespaces. However it's not codespaces specific.
It's not documented in the official doc but it is still in the spec.

sources:

usage example cli: Add devcontainer secrets support daytonaio/daytona#1295
proposal: https://github.com/devcontainers/spec/pull/214/files
Original pr: Declarative secrets devcontainers/spec#198
spec: https://github.com/devcontainers/spec/blob/main/docs/specs/secrets-support.md

usage cli

The devcontainer cli takes an option called --secrets-file which just takes a json file of key value pair:

  --secrets-file                    Path to a json file containing secret environment variables as key-value pairs.  [string]

During workspace provision, based on the secret section in devcontainer.json, a coder command
would fetch the specified secrets from coder's DB or external vault and return a json string for the devcontainer cli to use:

// file /path/to/secrets.json
{
  "NAME_OF_SECRET_1": "secret-value1",
  "NAME_OF_SECRET_2": "secret-value2"
}

Then simply adding --secrets-file to the up cmd would be enough to inject secrets into the devcontainer:

devcontainer  up [...] \
    --secrets-file /path/to/secrets.json

Well it would be a nice UX to validate secrets exists before workspace provision,
but at least it would make devcontainer template truly generic, and avoid templates duplication.

MrPeacockNLB · 2025-05-21T19:00:44Z

MrPeacockNLB
May 21, 2025

Storing of secrets should be permitted by administrator on each scope

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

🔐 Proposal: Built-in Secrets Support in Coder #17965

{{title}}

Replies: 3 comments 3 replies

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

🔐 Proposal: Built-in Secrets Support in Coder #17965

matifali May 21, 2025 Maintainer

💥 Problem

✅ Solution

🔧 CLI Examples

🖥️ UI Sneak Peek

🔍 Auditing (Premium)

💬 Feedback Wanted

Replies: 3 comments · 3 replies

mthemis-provenir May 21, 2025

matifali May 21, 2025 Maintainer Author

ggjulio May 21, 2025

matifali May 21, 2025 Maintainer Author

ggjulio May 21, 2025

usage cli

MrPeacockNLB May 21, 2025

matifali
May 21, 2025
Maintainer

Replies: 3 comments 3 replies

mthemis-provenir
May 21, 2025

matifali May 21, 2025
Maintainer Author

ggjulio
May 21, 2025

matifali May 21, 2025
Maintainer Author

MrPeacockNLB
May 21, 2025