Skip to content
Instruqt Lab Documentation

Secret

The secret resource retrieves a team-managed secret and makes its value available to other resources in the sandbox configuration. Secrets are stored and managed at the team level, and referenced by name in your lab configuration.

Use Cases

Section titled “Use Cases”

As a lab author, you can use secret resources to:

  • Secure Credential Injection: Provide API keys, tokens, and passwords to containers and scripts without hardcoding sensitive values in your configuration
  • Third-Party Service Access: Supply credentials for external services like cloud APIs, registries, or SaaS tools needed during lab execution
  • Centralized Secret Management: Reuse team-level secrets across multiple labs without duplicating or embedding sensitive values

Secret resources allow you to safely inject sensitive values into your lab environment by referencing secrets managed centrally by your team.

HCL Syntax

Section titled “HCL Syntax”

Basic Syntax

Section titled “Basic Syntax”
resource "secret" "name" {
  reference = "TEAM_SECRET_NAME"
}

Usage in Other Resources

Section titled “Usage in Other Resources”
resource "secret" "api_key" {
  reference = "MY_API_KEY"
}


resource "container" "app" {
  image {
    name = "myapp:latest"
  }


  environment = {
    API_KEY = resource.secret.api_key.value
  }
}

Fields

Section titled “Fields”
FieldRequiredTypeDescription
referencestringThe name of the secret in the team settings

Computed Attributes

Section titled “Computed Attributes”

These attributes are set by the system after the secret is resolved:

Field Type Description
value string The resolved value of the secret

Examples

Section titled “Examples”

Injecting a Secret into a Container

Section titled “Injecting a Secret into a Container”
resource "secret" "db_password" {
  reference = "DATABASE_PASSWORD"
}


resource "container" "database" {
  image {
    name = "postgres:15"
  }


  environment = {
    POSTGRES_PASSWORD = resource.secret.db_password.value
    POSTGRES_DB       = "myapp"
  }
}

Using a Secret in an Exec Script

Section titled “Using a Secret in an Exec Script”
resource "secret" "api_token" {
  reference = "EXTERNAL_API_TOKEN"
}


resource "exec" "configure" {
  script = <<-EOF
    #!/bin/bash
    curl -H "Authorization: Bearer $API_TOKEN" https://api.example.com/configure
  EOF


  environment = {
    API_TOKEN = resource.secret.api_token.value
  }
}

Pulling from a Private Registry

Section titled “Pulling from a Private Registry”
resource "secret" "registry_password" {
  reference = "REGISTRY_PASSWORD"
}


resource "container" "app" {
  image {
    name     = "registry.example.com/myapp:latest"
    username = "registry_user"
    password = resource.secret.registry_password.value
  }
}

Multiple Secrets

Section titled “Multiple Secrets”
resource "secret" "db_password" {
  reference = "PROD_DB_PASSWORD"
}


resource "secret" "api_key" {
  reference = "THIRD_PARTY_API_KEY"
}


resource "container" "app" {
  image {
    name = "myapp:latest"
  }


  environment = {
    DATABASE_PASSWORD = resource.secret.db_password.value
    API_KEY           = resource.secret.api_key.value
  }
}