We recently updated flyctl to use the machines API for managing secrets. As part of this change, flyctl keeps track of the minimum secrets version needed for each app. This value is used during machines deploys to make sure that the secrets that you set with flyctl are present on your machines when deployed. When you deploy with a minimum secrets version, your deployment is guaranteed to capture any secrets set at the point in time associated with that secrets version. But if you set any secrets using another instance of flyctl or via the web dashboard for your application, flyctl will not know of the latest minimum secrets version, and there is an opportunity for old secrets to be used during a machine deploy.
To address this we’ve made two changes. First, our caches which hold secrets have been limited. Right now the limit is one hour. This means that any time you deploy with an inconsistent machines version, at worst you will get secrets as they existed one hour ago.
The second change we made is to flyctl. We are adding a new command: flyctl secrets sync. When you run this command, any future machine deploys you do with with flyctl will capture all secrets as they existed at the time you ran the sync command, even if secrets were set using another flyctl or with the web dashboard. You shouldn’t need this command often, but if you make changes to your app’s secrets using flyctl on another machine, or with the web dashboard, you can run flyctl secrets sync to guarantee that you capture those secrets the next time you use flyctl to deploy.