> For the complete documentation index, see [llms.txt](https://v2.dataos.info/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://v2.dataos.info/concepts/resources/secret.md).

# Secret

## Overview

A Secret keeps credentials out of your manifests. Instead of embedding usernames, passwords, certificates, tokens, and keys in application code or YAML, you store them once as a Secret and reference them by name. That separation is the point: sensitive values never sit in a Resource definition, so they are not exposed when a Resource is created, viewed, or edited.

{% hint style="info" %}
**Secret in the Data Product Lifecycle**

In the Data Product Lifecycle, Secrets play a crucial role in securely managing credentials and sensitive information. They are particularly useful when your Data Product requires:

* **Secure Credential Management**: Storing and managing sensitive information such as usernames, passwords, API keys, or certificates securely within a Tenant. For example, a Secret can securely store the credentials needed to connect to a database, ensuring they are not exposed in the codebase or configuration files.
* **Access Control**: Ensuring that only authorized components and services within the tenant can access the credentials. For instance, a Secret can be used to provide a web application with the credentials to access a third-party service without exposing those credentials to the broader environment.
  {% endhint %}

## Prerequisites

To create a Secret, you need a tenant-specific role (**Tenant Admin**, **Data Admin**, or **Data Developer**).

To use a Secret, you need resource-specific permission granted by the Secret owner.

## Structure of a Secret manifest file <a href="#structure-of-a-secret-manifest" id="structure-of-a-secret-manifest"></a>

A Secret manifest carries the standard Resource fields (`name`, `version`, `type: secret`) plus a `spec` that holds the credential as key-value pairs. For the full field-by-field breakdown, see [Attributes of a Secret manifest](/concepts/resources/secret/manifest-configuration.md). To create one for a specific source, follow the source-specific steps below.

## How to create a Secret? <a href="#how-to-create-a-secret" id="how-to-create-a-secret"></a>

This section includes steps for creating the Secret to secure credentials of commonly used data sources and hosted code repositories using DataOS CLI.

### **Data Sources** <a href="#data-sources" id="data-sources"></a>

If you want to store credentials for various data sources in a Secret, follow the steps given in the links below.

* [Azure Blob File System Secure (ABFSS)](/concepts/resources/secret/data-sources/azure-blob-file-system-secure-abfss.md)
* [BigQuery](/concepts/resources/secret/data-sources/bigquery.md)
* [Google Cloud Storage (GCS)](/concepts/resources/secret/data-sources/google-cloud-storage-gcs.md)
* [Java Database Connectivity (JDBC)](/concepts/resources/secret/data-sources/java-database-connectivity-jdbc.md)
* [Kafka](/concepts/resources/secret/data-sources/kafka.md)
* [MongoDB](/concepts/resources/secret/data-sources/mongodb.md)
* [Microsoft SQL Server (MSSQL) or Azure SQL](/concepts/resources/secret/data-sources/microsoft-sql-server-mssql-or-azure-sql.md)
* [MySQL](/concepts/resources/secret/data-sources/mysql.md)
* [OpenSearch](/concepts/resources/secret/data-sources/opensearch.md)
* [Oracle](/concepts/resources/secret/data-sources/oracle.md)
* [PostgreSQL](/concepts/resources/secret/data-sources/postgresql.md)
* [Redshift](/concepts/resources/secret/data-sources/redshift.md)
* [Simple Storage Service (Amazon S3)](/concepts/resources/secret/data-sources/simple-storage-service-amazon-s3.md)
* [Snowflake](/concepts/resources/secret/data-sources/snowflake.md)

### **Repositories** <a href="#repositories" id="repositories"></a>

If you want to store credentials for hosted code repositories in a Secret, follow the steps given below.

* [AWS CodeCommit](/concepts/resources/secret/repositories/aws-codecommit.md)
* [Bitbucket](/concepts/resources/secret/repositories/bitbucket.md)
* [Git](/concepts/resources/secret/repositories/git.md)

### **Projections** <a href="#projections" id="projections"></a>

Use projections when a workload needs selected Secret values at runtime.

* [Projections](/concepts/resources/secret/projections.md)
* [How projections work](/concepts/resources/secret/projections/how-projections-work.md)
* [Best practices](/concepts/resources/secret/projections/best-practices.md)
* [Troubleshooting](/concepts/resources/secret/projections/troubleshooting.md)

## Configurations <a href="#configurations" id="configurations"></a>

Secret can be configured to secure the credentials information through key-value pairs. For a detailed breakdown of the configuration options and attributes, please refer to the documentation: [Attributes of Secret manifest](/concepts/resources/secret/manifest-configuration.md).

## Best Practices <a href="#best-practices" id="best-practices"></a>

This section involves dos and don'ts for managing a Secret.

* Before deleting a Secret, ensure that any other Resources are not using it.

## FAQs <a href="#faqs" id="faqs"></a>

**1. Can I update an existing Secret?**

Yes, you can update a Secret by modifying its manifest file and re-applying it. However, ensure that dependent Resources are updated accordingly. To update a Secret, after making changes in the manifest file, execute the following command.

```bash
dataos-ctl resource apply -f {path-to-manifest-file} 
```

**2. What happens if a Secret is deleted?**

If a Secret is deleted, any Resources relying on it may lose access or experience failures. It is recommended to verify dependencies before deletion.

**3. Is there a way to restore a deleted Secret?**

No, deleted Secrets cannot be recovered. You must create a new Secret and update all associated resources.

**4. Can we create multiple Secrets with the same name?**

No, for Secrets, names must be unique. If you attempt to create a Secret with a name that already exists, the system will prevent duplication. You may need to use a different name or update the existing Secret if modifications are required.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://v2.dataos.info/concepts/resources/secret.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
