All Products
Search

This Product

    Serverless App Engine:Manage and use secrets (Kubernetes Secrets)

    Document Center

    Serverless App Engine:Manage and use secrets (Kubernetes Secrets)

    Last Updated:Oct 31, 2025

    Secrets (Kubernetes Secrets) store sensitive information for your application at runtime, such as keys or certificates. Using secrets lets you change configurations after deployment without rebuilding your image.

    This topic does not cover dynamically retrieving configuration information from a configuration center. For more information, see Use Nacos of MSE or Manage distributed configurations (ACM).

    If you only need to store non-sensitive runtime environment variables, see Manage and use configuration items (Kubernetes ConfigMaps).

    Create a secret

    1. In SAE Secrets, select the destination region and namespace at the top, and then click Create. Make sure that you select the namespace where your target application resides.

      1. Specify a custom Name for the secret.

      2. Select a Type and configure it:

        • Opaque: Stores sensitive information without a specific format as key-value pairs, such as passwords or API keys.

          • Key-value Pair: Select whether to enable Base64 Encode Data Values. Then, enter the Name (Key) and Value for the sensitive information. Click Add to define multiple key-value pairs.

        • Private Image Repository Logon Key: Stores credentials to access a private container image repository. This ensures that SAE has permission to pull private images when it deploys an application.

          • Image Repository Address: The format is <domain name or IP of the image repository>:<service port of the image repository>. Ensure network connectivity between SAE and the image repository. For information about how to configure network access and obtain the image repository address for an Alibaba Cloud Container Registry (ACR) Enterprise Edition instance, see Push and pull images using an Enterprise Edition instance.

          • Username and Password.

        • TLS Certificate: Stores a TLS certificate when your application service needs to provide HTTPS access.

          • Cert and Key: The public key (Cert) and private key (Key) of the TLS certificate. You must enter the Base64-encoded content.

    2. In the Secrets list, view the created secret. You can Edit, Copy, or Delete the secret as needed.

      Important

      • After you modify a secret, you must manually redeploy the application that references it for the changes to take effect.

      • Deleting a secret affects the normal operation of applications that reference it. Before you delete a secret, make sure that you remove its reference from the applications.

    Pull an image using a secret

    For an example of how to pull an image when you deploy an application, see Deploy an application using an image from an ACR instance that belongs to a different account or Deploy an application using an image from a non-ACR instance.

    Use a secret as an environment variable for an application

    1. Create an application

      On the SAE Application List page, select a destination region and namespace in the top navigation bar, and then click Create Application. On the Application Basic Information page, configure the parameters and click Next: Advanced Settings.

      Change a running application

      Warning

      After you redeploy an application, the application is restarted. To prevent unpredictable errors such as business interruptions, we recommend that you deploy applications during off-peak hours.

      On the SAE Application List page, select a destination region and namespace in the top navigation bar. Click the ID of the target Application to open the application details page.In the navigation pane on the left, click Basic Information. In the upper-right corner, click Deploy Application.

      Change a stopped application

      On the SAE Application List page, select a destination region and namespace in the top navigation bar. Click the ID of the target Application to open the application details page.Click Basic Information, and then click Modify Application Configuration.

    1. In the Environment Variables section, set Type to Reference Secret. Specify a custom Variable Name for the current application. If you reference all keys, you do not need to specify a variable name. The key names are used as the variable names. Then, select the Secret Name and Key (the variable name in the secret) that you created. You can reference all keys. Click Add to add multiple secrets.

    2. Wait for the application to be deployed. To verify that the configuration is effective, log on to the webshell of an application instance and run the env | grep <variable_name> command. Replace <variable_name> with the variable name that you configured. If the mapping between the variable name and its value is returned, the configuration is effective.

    Mount a secret as a configuration file to the application's file system

    You can mount a secret to the file system within an application container. The value of the secret is used as the file content. You can specify a custom file path and file name. If a file with the same name exists in the path, the mounted file replaces the original file.

    1. Create an application

      On the SAE Application List page, select a destination region and namespace in the top navigation bar, and then click Create Application. On the Application Basic Information page, configure the parameters and click Next: Advanced Settings.

      Change a running application

      Warning

      After you redeploy an application, the application is restarted. To prevent unpredictable errors such as business interruptions, we recommend that you deploy applications during off-peak hours.

      On the SAE Application List page, select a destination region and namespace in the top navigation bar. Click the ID of the target Application to open the application details page.In the navigation pane on the left, click Basic Information. In the upper-right corner, click Deploy Application.

      Change a stopped application

      On the SAE Application List page, select a destination region and namespace in the top navigation bar. Click the ID of the target Application to open the application details page.Click Basic Information, and then click Modify Application Configuration.

    1. In the Secret section, click + Add. Select the Secret Name and Key (the variable name in the secret) that you created. You can mount all keys. Then, specify a custom Mount Path. If you mount a single key, enter an absolute path that includes the file name. If you mount all keys, enter an absolute path that does not include a file name. SAE automatically uses the key name of each configuration item as the file name. You can add multiple secrets.

    2. Wait for the application to be deployed. To verify that the configuration is effective, log on to the webshell of an application instance and view the content of the file in the mount path.