How are secrets added to a customer install?
Last updated: February 5, 2026
QUESTION
How are secrets added to a customer install?
ANSWER
In the app's config, secret names and metadata (not the actual secrets) are added to the secrets.toml as part of the app configuration.
name = "cockroachdb_admin_pw"
display_name = "CockroachDB Admin PW"
description = "Password for the default cockroachdb admin user. This password is used to access the cluster admin."
kubernetes_sync = true
kubernetes_secret_namespace = "cockroach"
kubernetes_secret_name = "admin-pw"When the customer deploys the CloudFormation stack sent by the vendor, the customer is prompted to enter values for the secrets specified in secrets.toml, which are then stored in AWS Secrets Manager.
Adding of secrets is done entirely by the customer, in their cloud account. The vendor will never see those secrets.
If kubernetes_sync is set to true, Nuon has an additional workflow step to sync that secret to a specific Kubernetes namespace with the deployed app. This workflow step is run after the provisioning of a Kubernetes sandbox and uses the key of value when creating the Kubernetes secret.
You can reference secrets in components and actions using templating.
In Helm where the secret is synced to a Kubernetes namespace
# Helm values.yaml
...
service:
port: 80
targetPort: 3000
secrets:
botTokenSecret: bot-user-oauth-token
# Helm template
apiVersion: apps/v1
kind: Deployment
...
containers:
- name: slack-app
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
ports:
- containerPort: {{ .Values.deployment.containerPort }}
env:
- name: SLACK_BOT_TOKEN
valueFrom:
secretKeyRef:
name: {{ .Values.secrets.botTokenSecret }}
key: valueIn a Terraform component where the secret is pulled from AWS Secrets Manager
# terraform
name = "open_webui"
type = "terraform_module"
terraform_version = "1.13.5"
...
[vars]
...
openai_secret_arn = "{{ .nuon.install_stack.outputs.openai_api_key_arn }}"DOCS