For setting and managing secrets for eg. service endpoints, databases, message brokers, etc. balenaCloud does not support a secret storage and transmission of environment variables. These secrets should be obfuscated in the balenaCloud dashboard, transmitted encrypted to the device and decrypted and only loaded to the service at runtime.
This would be really good to have. A secret storage similar to what is available at Github repos would be great.
Something like Airflow that finds e.g. secret in env name and hides its value from display
Agree, this would be a great add for example documentation says Variables - Variables | balena docs
“You can use variables to store secrets and other sensitive values out of your codebase and configure them when needed from the dashboard.”
However, secrets are not flagged, and in the dashboard, they are flagged as general Variables allowing anyone that has access to see these values which is not a good practice.
You should have a setup so you cannot see senstive values and only set them (similar to other cloud providers such as GitHub, Cloudflare, Azure, etc.) where you can set the senstive value and se its set but cannot see the value and only replace the secret value from the dashboard.