Skip to main content
Manage vault secrets from the command line. Store credentials for authenticated monitor checks and use them in config-as-code with ${SECRET_NAME} syntax.

Commands

CommandDescription
devhelm secrets listList all secrets (names only, values are hidden)
devhelm secrets createCreate a new secret
devhelm secrets update <key>Update a secret’s value
devhelm secrets delete <key>Delete a secret
Secrets are identified by key (e.g., SLACK_WEBHOOK_URL). Secret values are write-only — you can set and delete them, but never read the plaintext value back.

secrets list

devhelm secrets list
Lists secret names and metadata. Values are never displayed.

secrets create

devhelm secrets create \
  --key SLACK_WEBHOOK_URL \
  --value "https://hooks.slack.com/services/T00/B00/xxx"
FlagTypeRequiredDescription
--keystringYesSecret name
--valuestringYesSecret value
--environmentstringEnvironment slug to scope this secret to

Environment-scoped secrets

Scope a secret to a specific environment: 
devhelm secrets create \
  --key DATABASE_URL \
  --value "postgres://prod:secret@db.example.com/app" \
  --environment production
When the same key exists at both global and environment scope, the environment-specific value takes precedence during deploy.

secrets update

Update an existing secret’s value: 
devhelm secrets update SLACK_WEBHOOK_URL \
  --value "https://hooks.slack.com/services/T00/B00/new"
FlagTypeRequiredDescription
--valuestringYesNew secret value

secrets delete

devhelm secrets delete SLACK_WEBHOOK_URL

Using secrets in config

Reference secrets in your devhelm.yml with ${...} syntax: 
alert-channels:
  - name: Slack Alerts
    type: SLACK
    config:
      webhookUrl: ${SLACK_WEBHOOK_URL}
Secrets are resolved at deploy time. The plaintext value is never stored in your config file.

Next steps

Environments

Create environments for secret scoping.

Monitoring as Code

Use secrets in your YAML config.