Secrets can be accessed by cloud functions as environment variables. They are encrypted in transit and at rest, and injected as cleartext directly into the isolated function runtime environment.

Defining Secrets

Secrets are defined at the env section of the function configuration in binaris.yml:

functions:
  hello:
    file: hello.py
    entrypoint: handler
    runtime: python2
    env:
      SOME_SERVICE_URL: https://www.example.com
      AWS_ACCESS_KEY_ID:
      AWS_SECRET_ACCESS_KEY:

Assigning Values to Secrets

Variables with name and value are assigned directly at binaris.yml. Variables with a name only are assigned from the local environment variables at deploy time:

$ export AWS_ACCESS_KEY_ID=XXXXX
$ export AWS_SECRET_ACCESS_KEY=YYYYY
$ bn deploy hello

Reading Secrets at Runtime

import os

def handler(body, req):
    some_service_url = os.environ['SOME_SERVICE_URL']
    aws_access_key_id = os.environ['AWS_ACCESS_KEY_ID']
    # ...
    # return ...