Applications require a lot of sensitive information. Database passwords, API keys and secrets used for signing JWTs, just to name a few. If you're deploying your application using the Now CLI, you can deploy your secret information right through the CLI and give your code access to those secrets without exposing them directly in your source code. In this lesson, we'll cover how to add secrets to now, how to use a secret as the value of an environment variable and how to list and remove secrets in now.
Here I have a simple Hello World! Application that I built with Express and deployed to now. If we take a look at the code for this application, you'll see that on the root route I'm just printing out hello and the value of an environment variable called greeting.
In order to populate this greeting environment variable, I use the E flag when I deploy to now, pass it the name of the environment variable with a value. Any non-trivial application is going to have the need for some kind of secure information whether it's the username and password for your database or API keys or both.
Luckily, now has support for secrets. Just to make it easy to see what's going on, we're going to create a secret and then we're going to display it on the page. To create the secret, I'm going to run now, secrets, add. I'm going to give the secret a name. We'll call it super-secret message.
Then in quotes I'm going to give it a value, "Mr. Bond." We'll see the success message that super-secret message has been added. Now that that's been added, I can type now secrets LS to get a list of my secrets. You'll notice that the value of my secret is anywhere in this list.
The only way that value can be accessed at this point is through an environment variable in the deployment. Let's take a look at how we can do that. I want to create a new deployment of my application using that secret as my greeting environment variable.
I'm going to start by running the Now command. Because I haven't actually changed any of my code, I just want to change the value of an environment variable, I'm going to use the -f flag to force a new deployment.
Otherwise now is going to detect that there haven't been any changes to the code, and it's just going to give you back the old deployment's URL and not really update anything. I want to set an environment variable, so I'm going to use the -e flag with the name of my environment variable, which is greeting.
Normally, I would hit equal and then set a value, but since I want my value to be my secret key, I need to do this just a little bit differently. To let now know that I want to use my secret, I'm going to use the @ symbol followed by the name of my secret.
When I press enter, now will run. It will give me my new deployment's URL. We can drop that into the browser. We can watch now do its thing. Then it'll load up our application using our secret as our greeting.
Let's say I want to get rid of that secret. I can come back in here, and I can type now secrets LS. I'll get my secret and say I want to remove it. I'm going to Now secrets RM and the name or the key, either one will work. It will prompt me to make sure I'm sure. My secret's been removed. If I run secrets LS again, we'll see that I have no secrets.
I'll jump back to the browser. This is the deployment that used our secret as the environment variable. If I reload this, nothing's going to change. That secret value is in that deploy. If I want that secret to be gone completely, I'm going to need to redeploy this application with a new value for that environment variable.
I still haven't made any changes to my code, so I'm going to use now-f-e, greeting equals Eggheads. It'll run through another deploy. I'll get a new URL. Once that deployment's finished, you'll see that I get a page that uses my new non-secret value from the message.
Problem is because Now deploys the way it does, my old one lives on forever. I just need to jump back into the terminal and get rid of it. I'm going to now LS. This one in the middle is the one that used the secret. I'll just Now RM, throw that key in there. I'll remove that deployment.
If I go back to the browser now and try to refresh this, I'll get a 404. Now there's no trace of my secret value anywhere.