Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.ardor.cloud/llms.txt

Use this file to discover all available pages before exploring further.

Variables and Secrets Management

Overview

Every application needs configuration — API endpoints, feature flags, database passwords, third-party API keys. Variables & Secrets let you manage all of this without hardcoding values in your code.
Cerebrum manages variables. Just say “add the OpenAI API key” or “set DEBUG to true” — Cerebrum will configure it. The details below explain how variables and secrets work.

Variables

Plain text configuration visible in the UI. Use for non-sensitive settings like endpoints, flags, and paths.

Secrets

Encrypted values hidden from view. Use for passwords, API keys, tokens, and anything sensitive.
Variables and Secrets are configured per service and injected as environment variables at runtime — both in dev containers and production deployments.

Why Use Variables & Secrets

Keep secrets out of code

Never commit passwords or API keys to your repository. Store them securely in Ardor.

Environment-specific config

Same code, different configs. Switch between dev/staging/prod without changing code.

Easy updates

Change a value once in the UI — no redeployment needed for dev containers.

Team-friendly

Share configuration without sharing actual secret values. Team members see masked data.

Variables vs Secrets

VariablesSecrets
VisibilityVisible in UIMasked (••••••••)
StoragePlain textEncrypted
Use forEndpoints, flags, pathsPasswords, API keys, tokens
EditableView and edit freelyEdit without seeing current value
Rule of thumb: Passwords, API keys, tokens? Always a Secret. They’re stored encrypted in Ardor and never touch your code — only references to them do. Your GitHub repo stays clean.

System Variables

At runtime, Ardor may add system variables based on your service settings. These variables are managed by Ardor and cannot be edited or overridden from Variables & Secrets. Common system variables include:
VariableDescription
ARDOR_SERVICE_IDID of the current service
ARDOR_ENVIRONMENT_IDID of the current environment
ARDOR_PRIVATE_HOSTPrivate hostname for reaching the service inside the environment
System variables are injected automatically when they apply to the service. They may not all be present for every service configuration.

Adding Variables & Secrets

1

Open Service Settings

Navigate to your service and open the Variables & Secrets section
2

Add Variable or Secret

Click Add Variable or Add Secret, enter a name and value
3

Save

Changes apply to dev container immediately. For production, redeploy your service.

Variable References

A variable or secret value can include references to variables from the current service or another service. Type @ in the value field and select a variable from the list. Ardor inserts a reference token for you, including references to system variables such as ARDOR_PRIVATE_HOST. Variable References You can also click to create a reference directly. A single value can combine static text and multiple references. For example, a DATABASE_URL can be assembled from database credentials and the database service private host: 
postgresql://{{ postgres-db.POSTGRES_USER }}:{{ postgres-db.POSTGRES_PASSWORD }}@{{ postgres-db.ARDOR_PRIVATE_HOST }}:5432/{{ postgres-db.POSTGRES_DB }}
References are resolved when Ardor injects environment variables at runtime, so the consuming service receives one final value.

Naming Conventions

Environment variable names should be:
  • UPPERCASE with underscores: DATABASE_URL, API_KEY, DEBUG_MODE
  • Descriptive: POSTGRES_PASSWORD not PW
  • Prefixed for clarity: REDIS_HOST, REDIS_PORT, REDIS_PASSWORD
Some names are reserved by the system (like PORT). Ardor will warn you if you try to use a reserved name.

Common Use Cases

Connect to PostgreSQL, MySQL, or other databases:
VariableTypeExample
DATABASE_HOSTVariablepostgres-service.internal
DATABASE_PORTVariable5432
DATABASE_NAMEVariablemyapp
DATABASE_USERVariableadmin
DATABASE_PASSWORDSecret••••••••
import os

db_url = f"postgresql://{os.environ['DATABASE_USER']}:{os.environ['DATABASE_PASSWORD']}@{os.environ['DATABASE_HOST']}:{os.environ['DATABASE_PORT']}/{os.environ['DATABASE_NAME']}"

Reading Variables in Code

Variables and Secrets are injected as environment variables. Here’s how to read them: 
import os

# Required variable (raises error if missing)
api_key = os.environ['API_KEY']

# Optional with default
debug = os.environ.get('DEBUG', 'false')
port = int(os.environ.get('PORT', 8080))

Frontend Services

For frontend services (React, Vue, Next.js, etc.), variables and secrets are composed into a .env file at build time. Use them in your Dockerfile:
COPY .env .

RUN npm run build
Frontend variables typically need a prefix depending on your framework:
  • Vite: VITE_
  • Create React App: REACT_APP_
  • Next.js: NEXT_PUBLIC_
Frontend variables are embedded in the built code and visible to users. Never put secrets in frontend variables!

When Changes Apply

InVariablesSecrets
Dev ContainerRestart containerRestart container
DeploymentRedeploy serviceRedeploy service
Dev containers restart automatically when you save variable changes. For deployed service, you need to trigger a new deployment.

Security

How Secrets Are Protected

  • Encrypted at rest — Secrets are stored encrypted
  • Masked by default — Shown as ••••••••, but you can reveal them by clicking the eye icon

Best Practices

API keys, passwords, tokens, private keys — if it grants access to something, it’s a secret.
Be careful with debug logging. Never print environment variables that might contain secrets.
Change passwords and API keys periodically. Update the secret in Ardor, redeploy, done.
STRIPE_SECRET_KEY is better than KEY1. Future you will thank present you.
Only add secrets that a service actually needs. Don’t share database passwords with services that don’t use the database.

Troubleshooting

Cause: Container hasn’t restarted after adding the variable.Solution: Restart the dev container or redeploy the service.
Cause: Typo in variable name or old cached value.Solution:
  • Check the exact variable name (case-sensitive!)
  • Restart container to pick up latest values
Cause: Your code is logging environment variables.Solution: Review your logging code. Never log os.environ or similar dumps.
Cause: Missing framework prefix or variable added after build.Solution:
  • Add required prefix (VITE_, REACT_APP_, etc.)
  • Rebuild and redeploy the frontend

What’s Next

Service Configuration

Learn about all service settings including resources and networking

Development Container

Use the dev container to test your variables in real-time

Connecting Services

Connect multiple services and share configuration

Build with Cerebrum

Let Cerebrum set up variables and secrets for you automatically