Secrets limit

Is there an upper boundary of secrets per Fly App or Machine? Additionally, is there a limit on the number that can be set via the CLI or GraphQL API?

Currently, we have an app with ~568 secrets (it has a ton of configuration) and I’m in the process of moving secrets management for this application to Doppler.

Doppler’s interface is preventing me from setting up the Fly.io integration with this error message about 400 secrets being an upper limit on Fly:

I’m hoping that this was a historic value, because we haven’t seen it ourselves in a real, deployed application. Can someone confirm or provide any insight about why Doppler would believe there is a limit of 400? I’m going to provide their support with a link to whatever context I can establish in this thread.

We don’t have a hard limit on secrets, but I don’t think you should use more than about 20. These are exposed as environment variables, there are going to be weird Linux edge cases the more you put in.

When you need more secrets than that, it would be best to inject them into your app some other way. Probably something at boot time that pulls them down and loads them into memory.

Someday we’ll have a lower level Secrets API that you can use for this sort of thing. Even then, we’ll probably add a restriction on how many you can set as an environment variable.

In case you haven’t thought of it before: Some folks have reported that using base64-encoded json or text files to vend multiple secrets with one Fly secret works nicely: