Sensitive secrets and tokens should never be checked into your code repository or submitted as part of your app package. In order to protect your secrets, you can use an optional
.env file that should not be committed into your code repository (add to .gitignore, for example). If your app does not require global sensitive data, you do not have to include this file.
Add your secrets to the
.env file in the root of your app in the following format:
All app environment variables MUST start with
Then add the same environment variable names to your
app.yml under environment:
environment: - APP_ENV_GLOBAL_SECRET - APP_ENV_CLIENT_ID
This indicates these environment variables are required for your app to run so when you upload your app, the OCP CLI will ensure you included the values in your
.env file before uploading the app.
When you upload an app, the OCP CLI reads the environment variable values and uploads them separately and securely to OCP. These values are tied to the current app version you are uploading. After publishing your app, if you want to update the values, you need to prepare a new version of your app with an updated
If you want to prepare a new version of your app, but do not have access to the correct
.env values, you can re-use the previous AppVersion's
.env file with:
ocp app prepare --use-previous-app-env-values ...
You can access these variables using
In addition to supplying a
.env file, developers can provide a
.env.\<availablity\> file (for example
.env.eu.) These files are processed in the order of
.env -> .env.\<availablity\> for value overriding.
Any application using
all is not permitted to use an availability specific
Updated about 1 month ago