Working with secret stores

Secret stores give you a secure location to place credentials so they are available to Compute services operating at the Fastly edge.

You can also create and work with secret stores via the API.

Prerequisites

Secret Store is only available for Fastly's Compute services, not for Deliver (VCL-based) services.

Limitations and considerations

When creating or making changes to secret stores, keep the following things in mind:

• Trials for Compute include one secret store.
• Paid accounts include a minimum of 10 secrets regardless of the number of stores with additional secrets available for purchase.
• Secret store names can only contain letters, numbers, dashes, underscores, and periods.
• Secret stores support a maximum size of 64KB per secret.
• Secrets are limited to 5 secret reads per Compute request. To increase this limit contact Fastly Support.
• Secrets are limited to 1000 writes per month.

Creating a secret store

Creating a secret store requires you to create at least one key-value pair containing secrets and then associating the store with a service. To create a new secret store and add secrets, follow these steps:

1. Log in to the Fastly web interface and click the Resources link.
2. Click Secret stores.
3. Click Create a secret store.
4. Enter a name for the secret store and then click Add. The secret store you just created appears.
5. Click Key-value pairs.
6. Click Add item. A row appears where you can add secrets.
7. In the Name field, enter a name for the secret.
8. In the Secret field, enter the secret value. Alternatively, click Browse for file to upload a secrets file on your system using the file picker.
9. Click Add.
10. Click Add item to continue adding additional secrets as necessary.

Linking secret stores to a service

Once you've added at least one secret to a secret store, you can link it to a service from the Resources tab or from the Service configuration tab for the service.

Linking secret stores from the Resources tab

To link a secret store to a service from the Resources tab:

1. Log in to the Fastly web interface and click the Resources link.

2. Click Link to services to the right of the store you want to link.

3. Select the checkbox next to any services you want to link your secret store to and then click Next.

4. Decide which version of the service to link to. By default, the system will assume you want to clone the most recently active version of your service. You can choose an existing draft version of the service instead by selecting it specifically from the Version menu.

5. Select one of the following options for linking the store to your service:

   • Link only: links the store to the selected service versions but leaves any cloned or draft versions un-activated so you can activate them at a later time.
   • Link and activate: links the store to the selected service versions and activates those versions at the same time.

   A success message appears once the secret store is linked to the service.

6. Finally, do one of the following:

   • Click Activate versions to activate any cloned or draft versions of services linked to the secret store.
   • Click Finish to leave the cloned or draft service versions un-activated so you can make additional configuration changes to them and activate them at a later time.

Linking secret stores from the Service configuration tab

To link a secret store to a service from the Service configuration tab:

1. Log in to the Fastly web interface.
2. From the Home page, select the appropriate service. You can use the search box to search by ID, name, or domain. You can also click Compute services or CDN services to access a list of services by type.
3. From the Resources options in the sidebar, click Secret stores.
4. From the Link Secret Store to service menu, select the secret store you want to link to the service. A success message appears indicating the store is linked to your service.

Unlinking secret stores

You can unlink a secret store from a service from the Service configuration tab.

To unlink a secret store:

1. Log in to the Fastly web interface.
2. From the Home page, select the appropriate service. You can use the search box to search by ID, name, or domain. You can also click Compute services or CDN services to access a list of services by type.
3. From the Resources options in the sidebar, click Secret stores.
4. Click Unlink from service next to the secret store you want to unlink from your service.
5. Click Confirm and unlink. A new, draft version of the service is created.
6. Activate the service to finalize unlinking the secret store.

Editing a secret store

After creating a secret store, you can edit the secrets within the story or add new secrets to the store.

To edit secrets within a store:

1. Log in to the Fastly web interface and click the Resources link.
2. Expand the Key-value pairs section.
3. Hover your cursor over the entry you want to edit, then click the Edit link that appears.
4. Update the secret value. Alternatively, click Browse for file to navigate to a file on your system using the file picker.
5. Click Save.

To add new secrets to a secret store:

1. Log in to the Fastly web interface and click the Resources link.
2. Expand the Key-value pairs section.
3. Under Key-value pairs, click Add item.
4. Enter the name and secret in the appropriate columns and then click Add.
5. Repeat for any additional secrets.

The changes you make will be immediately applied to your configuration including any deployed service versions associated with the secret store.

Deleting a secret store

You can delete a secret store at any time. Before deleting a secret store:

• Unlink the secret store from your services. If the secret store is linked to any service, an error will appear when you try to delete the store.
• Update any custom logic that references the key-value pairs in the secret store. Deleting a secret store also deletes all key-value pairs within the store.

To delete a secret store:

1. Log in to the Fastly web interface and click the Resources link.
2. Click the trash to the right of the store you want to delete.
3. Click Confirm and delete.